amadey | bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c

Analysis

max time kernel
300s
max time network
297s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
Size

1.8MB
MD5

338fd6192a1bfaadbf72002bc5f8323e
SHA1

b465094f062d170487b50ae46b28325d4b156d58
SHA256

bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c
SHA512

bb0c58e71eccd9edf0acfb04cc23d4fc8d6250938a4ee0a42698ab53f07ebc66c1776b0e3d668e9aad0aab2c1e0e37261508013996b9ac0dea1fe77da992a167
SSDEEP

49152:wBxhTWeSd89d4s9Euz7orTXuk1rslL/eV:wgHdU1dzcr0lb

Score

10^/10

amadey cryptbot lumma redline stealc 9c9aa5 default2 doma fed3aa newbundle2 tg cloud @rlreborn admin @fatherofcarders credential_access discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

lumma

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

https://clearancek.site

https://licendfilteo.site

https://spirittunek.store

https://bathdoomgaz.store

https://studennotediw.store

https://dissapoiznw.store

https://eaglepawnoy.store

https://mobbipenju.store

Extracted

Family

stealc

Botnet

default2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

newbundle2

185.215.113.67:15206

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Extracted

Family

stealc

Botnet

doma

http://185.215.113.37

Attributes

url_path
/e2b1563c6670f193.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Detects CryptBot payload 1 IoCs

CryptBot is a C++ stealer distributed widely in bundle with other software.

spyware stealer

resource	yara_rule
behavioral1/memory/4060-703-0x0000000069CC0000-0x000000006A377000-memory.dmp	family_cryptbot_v3

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019645-134.dat	family_redline
behavioral1/memory/2292-144-0x0000000000330000-0x0000000000382000-memory.dmp	family_redline
behavioral1/memory/2756-380-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2756-379-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2756-378-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2756-375-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2756-373-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cfdd099bb1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3f7ed2c2ff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2ca9b1788d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2c3b4fdf47.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2c3b4fdf47.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3f7ed2c2ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3f7ed2c2ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2ca9b1788d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2ca9b1788d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cfdd099bb1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2c3b4fdf47.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cfdd099bb1.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Manager.url	splwow64.exe

Executes dropped EXE 28 IoCs

pid	Process
1932	axplong.exe
2916	gold.exe
572	legas.exe
2084	ztHNqAle0j.exe
444	2wnJHfjJq0.exe
2436	stealc_default2.exe
2292	newbundle2.exe
400	2c3b4fdf47.exe
2748	cfdd099bb1.exe
2340	skotes.exe
1612	MK.exe
2128	Nework.exe
2668	Hkbsse.exe
1628	processclass.exe
1084	splwow64.exe
2148	e31f9a865a.exe
2592	num.exe
3648	3f7ed2c2ff.exe
3976	Set-up.exe
4060	sadsay.exe
1596	2ca9b1788d.exe
2028	context.exe
3208	out.exe
3492	service123.exe
1608	service123.exe
3952	service123.exe
3836	service123.exe
3372	service123.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	2ca9b1788d.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	2c3b4fdf47.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	cfdd099bb1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine	3f7ed2c2ff.exe

Loads dropped DLL 56 IoCs

pid	Process
2116	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
1932	axplong.exe
1932	axplong.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
1932	axplong.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe
1564	MSBuild.exe
1708	WerFault.exe
1564	MSBuild.exe
1932	axplong.exe
1932	axplong.exe
1932	axplong.exe
1932	axplong.exe
1932	axplong.exe
1932	axplong.exe
2748	cfdd099bb1.exe
1932	axplong.exe
1932	axplong.exe
2128	Nework.exe
1932	axplong.exe
2436	stealc_default2.exe
2436	stealc_default2.exe
1932	axplong.exe
2340	skotes.exe
2340	skotes.exe
2340	skotes.exe
2340	skotes.exe
2340	skotes.exe
1932	axplong.exe
1932	axplong.exe
2668	Hkbsse.exe
2668	Hkbsse.exe
2340	skotes.exe
2340	skotes.exe
2340	skotes.exe
1932	axplong.exe
1932	axplong.exe
1140	WerFault.exe
1140	WerFault.exe
1140	WerFault.exe
1140	WerFault.exe
1140	WerFault.exe
4060	sadsay.exe
4060	sadsay.exe
3492	service123.exe
1608	service123.exe
3952	service123.exe
3836	service123.exe
3372	service123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\2c3b4fdf47.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\2c3b4fdf47.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\cfdd099bb1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\cfdd099bb1.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\e31f9a865a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000332001\\e31f9a865a.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000336001\\num.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\3f7ed2c2ff.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000349001\\3f7ed2c2ff.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\2ca9b1788d.exe = "C:\\Users\\Admin\\1000350002\\2ca9b1788d.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000500000001a488-479.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2116	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
1932	axplong.exe
400	2c3b4fdf47.exe
2748	cfdd099bb1.exe
2340	skotes.exe
3648	3f7ed2c2ff.exe
1596	2ca9b1788d.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 536	2916	gold.exe	32
PID 572 set thread context of 1564	572	legas.exe	36
PID 1612 set thread context of 2756	1612	MK.exe	49
PID 1084 set thread context of 3904	1084	splwow64.exe	86

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
File created	C:\Windows\Tasks\skotes.job	cfdd099bb1.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2656	2916	WerFault.exe	31
1708	572	WerFault.exe	35
1140	2028	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newbundle2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sadsay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e31f9a865a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	context.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	num.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c3b4fdf47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f7ed2c2ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfdd099bb1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	legas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ca9b1788d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sadsay.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Set-up.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Set-up.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sadsay.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3384	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1060	taskkill.exe
2992	taskkill.exe
2688	taskkill.exe
2192	taskkill.exe
3100	taskkill.exe
1984	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	newbundle2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ztHNqAle0j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ztHNqAle0j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ztHNqAle0j.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	3f7ed2c2ff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	3f7ed2c2ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	newbundle2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4024	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2028	context.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2116	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
1932	axplong.exe
2436	stealc_default2.exe
400	2c3b4fdf47.exe
444	2wnJHfjJq0.exe
2084	ztHNqAle0j.exe
2748	cfdd099bb1.exe
2340	skotes.exe
2436	stealc_default2.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
2756	RegAsm.exe
3648	3f7ed2c2ff.exe
1596	2ca9b1788d.exe
2028	context.exe
2028	context.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeBackupPrivilege	2084	ztHNqAle0j.exe
Token: SeBackupPrivilege	444	2wnJHfjJq0.exe
Token: SeSecurityPrivilege	444	2wnJHfjJq0.exe
Token: SeSecurityPrivilege	2084	ztHNqAle0j.exe
Token: SeSecurityPrivilege	444	2wnJHfjJq0.exe
Token: SeSecurityPrivilege	2084	ztHNqAle0j.exe
Token: SeSecurityPrivilege	444	2wnJHfjJq0.exe
Token: SeSecurityPrivilege	2084	ztHNqAle0j.exe
Token: SeSecurityPrivilege	444	2wnJHfjJq0.exe
Token: SeSecurityPrivilege	2084	ztHNqAle0j.exe
Token: SeDebugPrivilege	444	2wnJHfjJq0.exe
Token: SeDebugPrivilege	2084	ztHNqAle0j.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	2992	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	1148	firefox.exe
Token: SeDebugPrivilege	1148	firefox.exe
Token: SeDebugPrivilege	2756	RegAsm.exe
Token: SeDebugPrivilege	1628	processclass.exe
Token: SeDebugPrivilege	1084	splwow64.exe
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeDebugPrivilege	2028	context.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
2116	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
2748	cfdd099bb1.exe
2128	Nework.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2148	e31f9a865a.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe
1148	firefox.exe
1148	firefox.exe
1148	firefox.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe
2148	e31f9a865a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1932	2116	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe	30
PID 2116 wrote to memory of 1932	2116	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe	30
PID 2116 wrote to memory of 1932	2116	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe	30
PID 2116 wrote to memory of 1932	2116	bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe	30
PID 1932 wrote to memory of 2916	1932	axplong.exe	31
PID 1932 wrote to memory of 2916	1932	axplong.exe	31
PID 1932 wrote to memory of 2916	1932	axplong.exe	31
PID 1932 wrote to memory of 2916	1932	axplong.exe	31
PID 2916 wrote to memory of 536	2916	gold.exe	32
PID 2916 wrote to memory of 536	2916	gold.exe	32
PID 2916 wrote to memory of 536	2916	gold.exe	32
PID 2916 wrote to memory of 536	2916	gold.exe	32
PID 2916 wrote to memory of 536	2916	gold.exe	32
PID 2916 wrote to memory of 536	2916	gold.exe	32
PID 2916 wrote to memory of 536	2916	gold.exe	32
PID 2916 wrote to memory of 536	2916	gold.exe	32
PID 2916 wrote to memory of 536	2916	gold.exe	32
PID 2916 wrote to memory of 536	2916	gold.exe	32
PID 2916 wrote to memory of 2656	2916	gold.exe	33
PID 2916 wrote to memory of 2656	2916	gold.exe	33
PID 2916 wrote to memory of 2656	2916	gold.exe	33
PID 2916 wrote to memory of 2656	2916	gold.exe	33
PID 1932 wrote to memory of 572	1932	axplong.exe	35
PID 1932 wrote to memory of 572	1932	axplong.exe	35
PID 1932 wrote to memory of 572	1932	axplong.exe	35
PID 1932 wrote to memory of 572	1932	axplong.exe	35
PID 572 wrote to memory of 1564	572	legas.exe	36
PID 572 wrote to memory of 1564	572	legas.exe	36
PID 572 wrote to memory of 1564	572	legas.exe	36
PID 572 wrote to memory of 1564	572	legas.exe	36
PID 572 wrote to memory of 1564	572	legas.exe	36
PID 572 wrote to memory of 1564	572	legas.exe	36
PID 572 wrote to memory of 1564	572	legas.exe	36
PID 572 wrote to memory of 1564	572	legas.exe	36
PID 572 wrote to memory of 1564	572	legas.exe	36
PID 572 wrote to memory of 1564	572	legas.exe	36
PID 572 wrote to memory of 1564	572	legas.exe	36
PID 572 wrote to memory of 1708	572	legas.exe	37
PID 572 wrote to memory of 1708	572	legas.exe	37
PID 572 wrote to memory of 1708	572	legas.exe	37
PID 572 wrote to memory of 1708	572	legas.exe	37
PID 1564 wrote to memory of 2084	1564	MSBuild.exe	38
PID 1564 wrote to memory of 2084	1564	MSBuild.exe	38
PID 1564 wrote to memory of 2084	1564	MSBuild.exe	38
PID 1564 wrote to memory of 2084	1564	MSBuild.exe	38
PID 1564 wrote to memory of 444	1564	MSBuild.exe	39
PID 1564 wrote to memory of 444	1564	MSBuild.exe	39
PID 1564 wrote to memory of 444	1564	MSBuild.exe	39
PID 1564 wrote to memory of 444	1564	MSBuild.exe	39
PID 1932 wrote to memory of 2436	1932	axplong.exe	40
PID 1932 wrote to memory of 2436	1932	axplong.exe	40
PID 1932 wrote to memory of 2436	1932	axplong.exe	40
PID 1932 wrote to memory of 2436	1932	axplong.exe	40
PID 1932 wrote to memory of 2292	1932	axplong.exe	41
PID 1932 wrote to memory of 2292	1932	axplong.exe	41
PID 1932 wrote to memory of 2292	1932	axplong.exe	41
PID 1932 wrote to memory of 2292	1932	axplong.exe	41
PID 1932 wrote to memory of 400	1932	axplong.exe	44
PID 1932 wrote to memory of 400	1932	axplong.exe	44
PID 1932 wrote to memory of 400	1932	axplong.exe	44
PID 1932 wrote to memory of 400	1932	axplong.exe	44
PID 1932 wrote to memory of 2748	1932	axplong.exe	45
PID 1932 wrote to memory of 2748	1932	axplong.exe	45
PID 1932 wrote to memory of 2748	1932	axplong.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe
"C:\Users\Admin\AppData\Local\Temp\bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 96
      4⤵
      Loads dropped DLL
      Program crash
      PID:2656
- - C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Users\Admin\AppData\Roaming\ztHNqAle0j.exe
        
        "C:\Users\Admin\AppData\Roaming\ztHNqAle0j.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Users\Admin\AppData\Roaming\2wnJHfjJq0.exe
        
        "C:\Users\Admin\AppData\Roaming\2wnJHfjJq0.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 52
      4⤵
      Loads dropped DLL
      Program crash
      PID:1708
- - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2436
- - C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:2292
- - C:\Users\Admin\AppData\Local\Temp\1000354001\2c3b4fdf47.exe
    "C:\Users\Admin\AppData\Local\Temp\1000354001\2c3b4fdf47.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:400
- - C:\Users\Admin\AppData\Local\Temp\1000355001\cfdd099bb1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000355001\cfdd099bb1.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2340
    - - C:\Users\Admin\AppData\Local\Temp\1000332001\e31f9a865a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000332001\e31f9a865a.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2148
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:2512
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1148
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.0.1296136758\483431043" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98535f73-f7b4-46f9-9c8a-48fdcb7a77f5} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 1336 108d9258 gpu
        8⤵
        
        PID:2808
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.1.1478071815\478160769" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1516 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d1fc01b-246e-4ed9-944d-9bf6731923cf} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 1544 f5e4658 socket
        8⤵
        
        PID:2080
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.2.637535641\152395601" -childID 1 -isForBrowser -prefsHandle 1868 -prefMapHandle 1864 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 644 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {160641ba-397c-46a5-8b81-c92bd2b2847a} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 1916 19a94658 tab
        8⤵
        
        PID:2068
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.3.1694089332\523403228" -childID 2 -isForBrowser -prefsHandle 2640 -prefMapHandle 2636 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 644 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a1dae22-eeb8-4361-a998-be022f54f58c} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 2660 e63658 tab
        8⤵
        
        PID:1412
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.4.1585572744\1288484342" -childID 3 -isForBrowser -prefsHandle 3992 -prefMapHandle 3988 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 644 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0aab37a6-e8fa-46aa-9594-54e3f5c1e06f} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 4004 21708558 tab
        8⤵
        
        PID:3956
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.5.275352889\2031716117" -childID 4 -isForBrowser -prefsHandle 4116 -prefMapHandle 4120 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 644 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f06dd995-a14b-4c4c-8ab1-2b58305f3f99} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 4104 2170af58 tab
        8⤵
        
        PID:4020
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1148.6.2114285687\161624034" -childID 5 -isForBrowser -prefsHandle 3360 -prefMapHandle 3380 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 644 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {026520e2-59e0-40a6-ad47-aa9249df525a} 1148 "\\.\pipe\gecko-crash-server-pipe.1148" 3392 2136dc58 tab
        8⤵
        
        PID:4028
    - - C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2592
    - - C:\Users\Admin\AppData\Local\Temp\1000349001\3f7ed2c2ff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000349001\3f7ed2c2ff.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:3648
    - - C:\Users\Admin\1000350002\2ca9b1788d.exe
        
        "C:\Users\Admin\1000350002\2ca9b1788d.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1596
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        
        PID:1884
- - C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe
    "C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2756
- - C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe
    "C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:4060
      - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3492
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4024
- - C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe
    "C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start context.exe
      4⤵
      PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\context.exe
        
        context.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 736
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1140
- - C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe
    "C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1084
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "InstallUtil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3384
- - C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe
    "C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:3976
- - C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe
    "C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe"
    3⤵
    - Executes dropped EXE
    PID:3208

C:\Windows\system32\taskeng.exe
taskeng.exe {34585646-1539-4662-8B68-956FBCC7744B} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
1⤵
PID:3300
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1608
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3836
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c3c3ef71cb4bb8944d8ed7d8d93d8cd

SHA1
4ebb8259f3ec2412f698ce755d3ee37cf32bc514

SHA256
5632aa11f4c547b94a563e1366e37c9d2c05f8b000ad980e6523fa758117839c

SHA512
9e2554b2a297ff382f7bb1ed88058d4da1385661d7e882a8df16900a2b16ab3d5257aa4b5beff093691b1a0259e4830c9b4f68edb18c329ae4bdac004dcf3d0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3dc3bf95f83e4ed7555a411f5203a41d

SHA1
17223d675b19c75e4be51ff8f79b63282a388547

SHA256
d60147a5eced87d1d57032f802f0cf2b760371838b4a34590ad1a32130e76f27

SHA512
1ae95228a857bde9440c3124c649d52ca9557440b7ff88727898edf87b53b94108fdf1c5c5965a3bde7c7a10d15bf636a9a99c11b07a75693f7a7eccfb35d67a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\39ptzwfm.default-release\activity-stream.discovery_stream.json.tmp

Filesize
29KB

MD5
d1f46fdf73107f6bcbc8d4cae1587bec

SHA1
ad802e737fa8a1a4d13a1ac1aedb507d75348df6

SHA256
53e0e9833f71bc8690b41f71c14d406fe4aae842f859fce8bbf87c02c1a41278

SHA512
a04ed046fad614712e2ccf976372f2151facc93004634adbde4d17d5ed0422c65a8b2878b743814797e261c0e9fdb8e2bf6454edacbd125af7f03a64f86f875b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

Filesize
566KB

MD5
049b6fe48a8cfb927648ad626aba5551

SHA1
9555d23104167e4fad5a178b4352831ce620b374

SHA256
b78402483c46cd37e2c204d95690aa2a213616a1f904d779ceec0e22fcdd6531

SHA512
ed787f90966ca1ea4b1e67c4026dd44393c7d312cd52e376f4ba5e5c49616938ec9e913044def29b40b441eb4c913a5134bb78317a179f62067bef3f9d913c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe

Filesize
1.3MB

MD5
24402fc0617a2740c16ea9c81518d669

SHA1
a0476ef848cd11bb20f8efd06e295a0f44c956ca

SHA256
c02fcc32573f4546201515667154d9e51e2636af52a1790d1063183c0d012566

SHA512
dd90c0036a8a109c5645b481f1bd7b193fa86518183790b75dbc400416793fb8f9e7d4d4621d7c0227cbbf483758a03a94581397686b09c6f65218b651b5bc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
187KB

MD5
7a02aa17200aeac25a375f290a4b4c95

SHA1
7cc94ca64268a9a9451fb6b682be42374afc22fd

SHA256
836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

SHA512
f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\fikbbm0902845.exe

Filesize
18B

MD5
174ef859dfe296a48628dc40ef8e05ed

SHA1
59a0e43e3ae9c8f638932b9cf83bf62ad91fb2b7

SHA256
84520353f099eee2117b00aa16cde461e573a835e8ddd64334efd871d4ce292c

SHA512
c6d0e9d1842a4ce05929f8941b8e30729567626cf1594f3b11958cde9347e1d8e8cde5f9f9584953122fd035fedec0b09c0bd184abc0f33eac4862d85e164ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe

Filesize
7.4MB

MD5
735bb5f55a17215700840c04a8b40a03

SHA1
55e0828c6d08653939eee2b1af8fd737e92266c4

SHA256
5ea6a5e3bc6c02cc41637028050c3738c38a07917e373637928b314c5d22f84d

SHA512
7e742677e35099d8cd4a5163eea6633e3ec7deeb4840aba1f8adad8f0022e72f7416ac6367802eceab8f9f2e9dd04e1546b141e911495d025b98575a92f3865c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000254001\red.exe

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

Filesize
304KB

MD5
58e8b2eb19704c5a59350d4ff92e5ab6

SHA1
171fc96dda05e7d275ec42840746258217d9caf0

SHA256
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834

SHA512
e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000332001\e31f9a865a.exe

Filesize
898KB

MD5
8eb80d6a4bf81ccc902a45a404c7ed9d

SHA1
94bd95a6c577963d3608de4b659c892aa4013f84

SHA256
98cdc2aed91cb1294429e43cebfe79adfe311761db9b00ae74ce4b424e38e808

SHA512
95ccca01f61452d25c34f05525d1a2d5e63b61ce62402e06ed9d6be26aa4621041d6480ef310356fbff4dac0b311e57b03cdf3b527238a14b598def1e53696e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe

Filesize
307KB

MD5
791fcee57312d4a20cc86ae1cea8dfc4

SHA1
04a88c60ae1539a63411fe4765e9b931e8d2d992

SHA256
27e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d

SHA512
2771d4e7b272bf770efad22c9fb1dfafe10cbbf009df931f091fb543e3132c0efda16acb5b515452e9e67e8b1fc8fe8aedd1376c236061385f026865cdc28d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000349001\3f7ed2c2ff.exe

Filesize
1.8MB

MD5
d4ba036387ff4ee98ff7b0f172610045

SHA1
965daac66d7f1ac5d68b4d741e4c2df25d8f820e

SHA256
502b58d102d29f2bf22c6b7b17e9e79dec9d20f8eaa76f5b29ed2c1ebfbc6a1c

SHA512
f659048afe0f517ad5e91da0fc668f17fbe919a0274c6ebff8b0bf74e5fd19d95d1ab3bda7bd0808cfc4efe40e276199753233f338466a23cad8da30682ad469

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000354001\2c3b4fdf47.exe

Filesize
1.8MB

MD5
caf461eb8ed93f9c6693644c9a00bf91

SHA1
bde1937a55f1aba923ef6710d56585192aa29f66

SHA256
bd7cb47cbacea170edf4777a5d5d592493f8bdeb475b25cde03208bd49eae092

SHA512
ddb8711e95899cb09798f0add44805ed5aa90c1ca80e94fa73fa42568c07c9aa93dca21ff0db314fead43d84ec87583d9b8c6e7d1799daa8e3a58befdf678642

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000355001\cfdd099bb1.exe

Filesize
1.8MB

MD5
f69f1b099abe6b8ec4d6319db86fd01d

SHA1
374021521d524c3c4e8e54937eb21b1982511277

SHA256
f7352c0de9fbd32c95498fa67702ae6c63c11f9a1145161a850df4bd8272bdab

SHA512
edc4b8d8171de84234379bb1a4658aef0c1197b584f5b035779fae7689695edf05675b3578342c893383e3b18a5bdd35cd598da3e2847873c29946414695ca0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe

Filesize
314KB

MD5
ff5afed0a8b802d74af1c1422c720446

SHA1
7135acfa641a873cb0c4c37afc49266bfeec91d8

SHA256
17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

SHA512
11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe

Filesize
6KB

MD5
c042782226565f89ce3954489075e516

SHA1
256dd5ba42837a33c7aa6cb71cef33d5617117ee

SHA256
a7b63cd9959ac6f23c86644a4ca5411b519855d47f1f5e75a1645d7274f545a6

SHA512
9f0771c66ea7c0a2264b99a8782e3ab88a2d74b609265b5ce14f81dcc52b71e46248abd77767018711d72a18e20fe3b272513bfd722fff9043f962f7c8ed93fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe

Filesize
1.1MB

MD5
ed9393d5765529c845c623e35c1b1a34

SHA1
d3eca07f5ce0df847070d2d7fe5253067f624285

SHA256
53cd2428c9883acca7182781f22df82c38f8cc115dc014b68e32f8b1cdbf246a

SHA512
565f66ef604b10d5be70920d9813e58f5bde174d6a6d30eb8654f467775da8a665c555b7e4127fc22f8a5a5b54466137bde228fd932335517dd017d0ea51f3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe

Filesize
6.3MB

MD5
65eeea19b373583f916bf3070acbfd58

SHA1
78ce3479d5d0148ba855d89ecb48a3f0c12d9957

SHA256
c671e33f6757cef930713d2e4efeb8642177675e95fc05de92e124213022a00b

SHA512
f726327e977a85dcc3b0c217a8dacc9cd375bbe3f238558c9b9adf35233c0b4959e6014ff46bf742a7a822e4fe757d4f3bcc1e63709c6ec4c84c29c1f47483c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe

Filesize
5.5MB

MD5
f2930c61288bc55dfdf9c8b42e321006

SHA1
5ce19a53d5b4deb406943e05ec93bc3979824866

SHA256
d3a53533949862449edb69c1916bf56681e3f2ec3a1c803043b1f3b876698603

SHA512
67a1ea68fafae8c7c9da322b7c5821e5cc78fcce3c9454a552a13ebc812bec334f60533991147b0b95151ade77ff2fbf244945f8318b48082173b64c71e6308f

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
338fd6192a1bfaadbf72002bc5f8323e

SHA1
b465094f062d170487b50ae46b28325d4b156d58

SHA256
bcbb188e96c1b437102220e9e25ffbabdd3d6098fd257f9a621f13611049831c

SHA512
bb0c58e71eccd9edf0acfb04cc23d4fc8d6250938a4ee0a42698ab53f07ebc66c1776b0e3d668e9aad0aab2c1e0e37261508013996b9ac0dea1fe77da992a167

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab25CB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar25DD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp259B.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Roaming\2wnJHfjJq0.exe

Filesize
393KB

MD5
7d7366ab79d6d3d8d83d13a8b30de999

SHA1
75c6c49a6701d254c3ce184054a4a01329c1a6f3

SHA256
3d66fed04c76d055c6149b33dcfda544b509c57087c57a861e1d6256b59f8465

SHA512
64f4551b3be1c21ce7c2d49608463e5aec4166e3e6893883c33a5b7d1109ef0fc8ab6bd15c70d9d606e2706f12a937c2d90d5bc8f6c629ad6f30f212dc25f022

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1506706701-1246725540-2219210854-1000\76b53b3ec448f7ccdda2063b15d2bfc3_62dc4f69-4699-4b35-9f5c-cc69254f52a3

Filesize
2KB

MD5
cd60f14fd81e395c3ebcecd498e73056

SHA1
9f1efb6980c701301f0e133519baa211530b1262

SHA256
f1ccd265a08146a89f39372b7a450cd06215a5bee29851ce309e4f2fc21fe637

SHA512
c39e9e214de0f7372f3881936bcc032c007632f33293ca84ec9b921ad0b2a247d01feb657895f1f855c0c130a97ced08c3321a542272f7cd27d4d5bb770b9f28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
67a33aa3bc8532f1a5df34fe161c74ed

SHA1
e088207479daeca19d11ec9bf2d8e76f80ffc206

SHA256
c77972adb8285c7f516b0483e175a410079472dd362cc0bc82788efd463f9854

SHA512
1ae9895b995e869bf86576f356f93822a00289c5397c3167a0a79eaed90a2f7ec0db69f33e4031d4fb816ade2f51554bb2dd974611b47de24b843e04392e36da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\datareporting\glean\pending_pings\6220f591-a48d-44d4-a4b3-55748611bc12

Filesize
733B

MD5
fa66bed1dd42371b16c99af4d0a0ca8b

SHA1
f9eb9044b684d315fa8cfe07a42e09f69c8a65be

SHA256
eaf6f5f7901fb090e1d1198f388f61862a3f271adc1e361a639c87d14145adff

SHA512
b520a6ee34d7567f0a3f50be398b199db3da93d387b7363906342b573cf0eebdec3bfe08577b6884d89c514b1a5fa42e9300d8bbdb7385b0770caec93c2c95f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\prefs.js

Filesize
6KB

MD5
d435c6ebf653e45a12e5c9bd243aef39

SHA1
9b711658181c2680e9529d1a106689746adb52ae

SHA256
ecac5fd3086a3905197de9e4fb39386004952a57af30311d0146477b7770ff13

SHA512
034c609c30edffc88bc7f4975b386474ede985e39d7d0ac5cf53bf7dffded1c69773b03f64b7f30696e81c292e6b16c8cd687f7d9c269d2fc1f2874d1da19380

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\39ptzwfm.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
1d87633c899ebb45778026c301d420f3

SHA1
7931aa594a96450488f4bd2d2be9b60a93dce5e5

SHA256
b1f10b1b2b49f98c914ff552a5421c04140ecad4b2f14c41477b6bf060a73893

SHA512
3f33d00cd23f32a089e283adec5233d802142d256b1ba810c466c379cbdb2b6decb20068256a30bcdca66d731670d135cfc4984dc4cb6791c3653c91915438f2

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
39fb20ef7c3bc1023428dec5650bc879

SHA1
1db41cefdf921b424e3b108edb25c35007c666c5

SHA256
bb157fd2a365dd7f24bac59796458be72603e0b6ebce4f8dbff090696fb04ee0

SHA512
52551ac48f3b69a05a63e45d91f7eb84729f0ddabe33d2adc9193f6cd02329e1e8e8dc08059c0288a42527de6278e19d7336b6da1f04a1ef2ab5d513a001876c

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Roaming\ztHNqAle0j.exe

Filesize
602KB

MD5
e4fc58d334930a9d6572c344e5129f6b

SHA1
d38fbd0c4c86eee14722f40cc607e2128c01b00f

SHA256
973a9056040af402d6f92f436a287ea164fae09c263f80aba0b8d5366ed9957a

SHA512
a69f5da8de8c9782769cca2e2fc5b28bbeba0c0d0027954dbe47b15610d82277abbe912f0e5921a18000f1a3a3c54eb5922f70c773537a22f4b35ff926d17a59

Download Submit
memory/400-298-0x0000000001390000-0x0000000001A2C000-memory.dmp

Filesize
6.6MB

Download
memory/400-466-0x0000000001390000-0x0000000001A2C000-memory.dmp

Filesize
6.6MB

Download
memory/400-516-0x0000000001390000-0x0000000001A2C000-memory.dmp

Filesize
6.6MB

Download
memory/400-653-0x0000000001390000-0x0000000001A2C000-memory.dmp

Filesize
6.6MB

Download
memory/444-101-0x00000000001E0000-0x0000000000248000-memory.dmp

Filesize
416KB

Download
memory/536-45-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/536-42-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/536-47-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/536-43-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/536-41-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/536-40-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/536-39-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/536-38-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/536-46-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/536-277-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1084-489-0x0000000000C00000-0x0000000000D18000-memory.dmp

Filesize
1.1MB

Download
memory/1084-496-0x0000000009EB0000-0x0000000009F34000-memory.dmp

Filesize
528KB

Download
memory/1564-72-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1564-81-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1564-80-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1564-70-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1564-68-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1564-74-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1564-77-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1564-97-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1564-78-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1564-79-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1564-66-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/1612-366-0x0000000001290000-0x00000000012E4000-memory.dmp

Filesize
336KB

Download
memory/1628-443-0x0000000001170000-0x0000000001178000-memory.dmp

Filesize
32KB

Download
memory/1932-118-0x0000000001380000-0x000000000181E000-memory.dmp

Filesize
4.6MB

Download
memory/1932-429-0x0000000006830000-0x0000000006ECC000-memory.dmp

Filesize
6.6MB

Download
memory/1932-294-0x0000000006830000-0x0000000006ECC000-memory.dmp

Filesize
6.6MB

Download
memory/1932-803-0x0000000006830000-0x0000000006A73000-memory.dmp

Filesize
2.3MB

Download
memory/1932-295-0x0000000006830000-0x0000000006ECC000-memory.dmp

Filesize
6.6MB

Download
memory/1932-20-0x0000000001380000-0x000000000181E000-memory.dmp

Filesize
4.6MB

Download
memory/1932-313-0x0000000006830000-0x0000000006CF2000-memory.dmp

Filesize
4.8MB

Download
memory/1932-310-0x0000000001380000-0x000000000181E000-memory.dmp

Filesize
4.6MB

Download
memory/1932-119-0x0000000006830000-0x0000000006A73000-memory.dmp

Filesize
2.3MB

Download
memory/1932-499-0x0000000006830000-0x0000000006CF2000-memory.dmp

Filesize
4.8MB

Download
memory/1932-18-0x0000000001380000-0x000000000181E000-memory.dmp

Filesize
4.6MB

Download
memory/1932-802-0x0000000006830000-0x0000000006A73000-memory.dmp

Filesize
2.3MB

Download
memory/1932-576-0x0000000001380000-0x000000000181E000-memory.dmp

Filesize
4.6MB

Download
memory/1932-120-0x0000000006830000-0x0000000006A73000-memory.dmp

Filesize
2.3MB

Download
memory/1932-228-0x0000000001380000-0x000000000181E000-memory.dmp

Filesize
4.6MB

Download
memory/1932-293-0x0000000001380000-0x000000000181E000-memory.dmp

Filesize
4.6MB

Download
memory/1932-17-0x0000000001381000-0x00000000013AF000-memory.dmp

Filesize
184KB

Download
memory/1932-129-0x0000000001380000-0x000000000181E000-memory.dmp

Filesize
4.6MB

Download
memory/1932-16-0x0000000001380000-0x000000000181E000-memory.dmp

Filesize
4.6MB

Download
memory/2028-732-0x0000000000D00000-0x0000000000E18000-memory.dmp

Filesize
1.1MB

Download
memory/2084-100-0x0000000000020000-0x00000000000BC000-memory.dmp

Filesize
624KB

Download
memory/2116-15-0x0000000000990000-0x0000000000E2E000-memory.dmp

Filesize
4.6MB

Download
memory/2116-5-0x0000000000990000-0x0000000000E2E000-memory.dmp

Filesize
4.6MB

Download
memory/2116-1-0x0000000077210000-0x0000000077212000-memory.dmp

Filesize
8KB

Download
memory/2116-0-0x0000000000990000-0x0000000000E2E000-memory.dmp

Filesize
4.6MB

Download
memory/2116-2-0x0000000000991000-0x00000000009BF000-memory.dmp

Filesize
184KB

Download
memory/2116-3-0x0000000000990000-0x0000000000E2E000-memory.dmp

Filesize
4.6MB

Download
memory/2292-144-0x0000000000330000-0x0000000000382000-memory.dmp

Filesize
328KB

Download
memory/2340-724-0x0000000006D30000-0x00000000073CC000-memory.dmp

Filesize
6.6MB

Download
memory/2340-631-0x0000000000930000-0x0000000000DF2000-memory.dmp

Filesize
4.8MB

Download
memory/2340-816-0x0000000006710000-0x0000000006971000-memory.dmp

Filesize
2.4MB

Download
memory/2340-524-0x0000000006710000-0x0000000006971000-memory.dmp

Filesize
2.4MB

Download
memory/2340-730-0x0000000006D30000-0x00000000071CC000-memory.dmp

Filesize
4.6MB

Download
memory/2340-526-0x0000000000930000-0x0000000000DF2000-memory.dmp

Filesize
4.8MB

Download
memory/2340-525-0x0000000006710000-0x0000000006971000-memory.dmp

Filesize
2.4MB

Download
memory/2340-815-0x0000000006710000-0x0000000006971000-memory.dmp

Filesize
2.4MB

Download
memory/2340-675-0x0000000006D30000-0x00000000071CC000-memory.dmp

Filesize
4.6MB

Download
memory/2340-734-0x0000000006D30000-0x00000000071CC000-memory.dmp

Filesize
4.6MB

Download
memory/2340-674-0x0000000006D30000-0x00000000071CC000-memory.dmp

Filesize
4.6MB

Download
memory/2340-725-0x0000000006D30000-0x00000000073CC000-memory.dmp

Filesize
6.6MB

Download
memory/2340-328-0x0000000000930000-0x0000000000DF2000-memory.dmp

Filesize
4.8MB

Download
memory/2436-329-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2436-507-0x00000000003D0000-0x0000000000613000-memory.dmp

Filesize
2.3MB

Download
memory/2436-121-0x00000000003D0000-0x0000000000613000-memory.dmp

Filesize
2.3MB

Download
memory/2592-534-0x0000000001120000-0x0000000001381000-memory.dmp

Filesize
2.4MB

Download
memory/2592-527-0x0000000001120000-0x0000000001381000-memory.dmp

Filesize
2.4MB

Download
memory/2748-327-0x0000000001190000-0x0000000001652000-memory.dmp

Filesize
4.8MB

Download
memory/2748-325-0x0000000006F50000-0x0000000007412000-memory.dmp

Filesize
4.8MB

Download
memory/2748-314-0x0000000001190000-0x0000000001652000-memory.dmp

Filesize
4.8MB

Download
memory/2756-380-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2756-375-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2756-373-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2756-377-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2756-378-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2756-371-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2756-369-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2756-379-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2916-297-0x00000000011A7000-0x00000000011A8000-memory.dmp

Filesize
4KB

Download
memory/2916-37-0x00000000011A7000-0x00000000011A8000-memory.dmp

Filesize
4KB

Download
memory/3648-728-0x0000000000B90000-0x000000000102C000-memory.dmp

Filesize
4.6MB

Download
memory/3648-676-0x0000000000B90000-0x000000000102C000-memory.dmp

Filesize
4.6MB

Download
memory/4060-703-0x0000000069CC0000-0x000000006A377000-memory.dmp

Filesize
6.7MB

Download