Overview

overview

10

Static

static

3

edc0d2a38d...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2024 14:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edc0d2a38d5f3e1628d72ff48d5b61bb7459c15239ed857adfe8a5a05030f28a.exe

  • Size

    6.9MB

  • MD5

    6b32f6f4217e3e042093d88b4abbf4c6

  • SHA1

    628924164325250109633ec973a6394ac0ff3a6a

  • SHA256

    edc0d2a38d5f3e1628d72ff48d5b61bb7459c15239ed857adfe8a5a05030f28a

  • SHA512

    12b7bd930d3c61faeb8ebaac23ee68f1a343df59720f17509aafcb4d2847b44db78e2eb27b09b5f7bc76cead1e6564b6ab6a378dc677dd7043f70d2ecb624146

  • SSDEEP

    196608:y2PZZzNwqSCTn5ST5f9o0FX0CHCFgfY97+OkCNY:HzzWpCj85FoCh2gfYhhNY

Score
10/10
amadeygcleanerlummaphemedronestealc9c9aa5stokcredential_accessdiscoveryevasionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://atten-supporse.biz/api

https://drive-connect.cyou/api

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

https://tacitglibbr.biz/api

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot7748267151:AAHJX2M4rJ5MRUvgJ9XqTgoOgAd1r_j9htM/sendDocument

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://atten-supporse.biz/api

https://covery-mover.biz/api

https://drive-connect.cyou/api

https://tacitglibbr.biz/api

https://immureprech.biz/api

https://deafeninggeh.biz/api

https://wrathful-jammy.cyou/api

https://awake-weaves.cyou/api

https://sordid-snaked.cyou/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • Phemedrone

    An information and wallet stealer written in C#.

    stealerphemedrone
  • Phemedrone family
    phemedrone
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs
    evasion
  • Downloads MZ/PE file
  • Uses browser remote debugging 2 TTPs 8 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 26 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 22 IoCs
  • Identifies Wine through registry keys 2 TTPs 13 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 13 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\edc0d2a38d5f3e1628d72ff48d5b61bb7459c15239ed857adfe8a5a05030f28a.exe
    "C:\Users\Admin\AppData\Local\Temp\edc0d2a38d5f3e1628d72ff48d5b61bb7459c15239ed857adfe8a5a05030f28a.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X5Z13.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X5Z13.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\K8M22.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\K8M22.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4060
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1v90C3.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1v90C3.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3100
            • C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe
              "C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:840
            • C:\Users\Admin\AppData\Local\Temp\1014060001\3ed2172d0d.exe
              "C:\Users\Admin\AppData\Local\Temp\1014060001\3ed2172d0d.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:2944
              • C:\Users\Admin\AppData\Local\Temp\1014060001\3ed2172d0d.exe
                "C:\Users\Admin\AppData\Local\Temp\1014060001\3ed2172d0d.exe"
                7⤵
                • Executes dropped EXE
                PID:3508
              • C:\Users\Admin\AppData\Local\Temp\1014060001\3ed2172d0d.exe
                "C:\Users\Admin\AppData\Local\Temp\1014060001\3ed2172d0d.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2976
            • C:\Users\Admin\AppData\Local\Temp\1014067001\cbbcf6446e.exe
              "C:\Users\Admin\AppData\Local\Temp\1014067001\cbbcf6446e.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:5168
            • C:\Users\Admin\AppData\Local\Temp\1014068001\c4c7d88f61.exe
              "C:\Users\Admin\AppData\Local\Temp\1014068001\c4c7d88f61.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4756
            • C:\Users\Admin\AppData\Local\Temp\1014069001\69cd7bea48.exe
              "C:\Users\Admin\AppData\Local\Temp\1014069001\69cd7bea48.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4172
            • C:\Users\Admin\AppData\Local\Temp\1014070001\4248fb6d4d.exe
              "C:\Users\Admin\AppData\Local\Temp\1014070001\4248fb6d4d.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:712
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM firefox.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4884
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM chrome.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4580
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM msedge.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2380
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM opera.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5388
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM brave.exe /T
                7⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5640
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                7⤵
                  PID:5456
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                    8⤵
                    • Checks processor information in registry
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    PID:5816
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7212fb0-b0ea-4385-a35e-8b63f1a6f83c} 5816 "\\.\pipe\gecko-crash-server-pipe.5816" gpu
                      9⤵
                        PID:4952
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {273d4081-7c2e-46f6-96c3-5a12fa7d92cc} 5816 "\\.\pipe\gecko-crash-server-pipe.5816" socket
                        9⤵
                          PID:5984
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3016 -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 3184 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11391323-7d11-468a-a21e-72adde3e3ef7} 5816 "\\.\pipe\gecko-crash-server-pipe.5816" tab
                          9⤵
                            PID:4376
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4228 -childID 2 -isForBrowser -prefsHandle 4224 -prefMapHandle 4220 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6c13a72-6c48-48bc-805c-50d8f87754aa} 5816 "\\.\pipe\gecko-crash-server-pipe.5816" tab
                            9⤵
                              PID:5516
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4984 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4928 -prefMapHandle 4956 -prefsLen 33036 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17cc5883-9e45-4c10-b3f0-769b54d3ef41} 5816 "\\.\pipe\gecko-crash-server-pipe.5816" utility
                              9⤵
                              • Checks processor information in registry
                              PID:5564
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5232 -childID 3 -isForBrowser -prefsHandle 5168 -prefMapHandle 5200 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bed8496-dcf2-44db-b605-743203fd142f} 5816 "\\.\pipe\gecko-crash-server-pipe.5816" tab
                              9⤵
                                PID:3604
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5340 -prefMapHandle 5344 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c24d92b-cade-4bc5-8a9d-1a43ee1a913c} 5816 "\\.\pipe\gecko-crash-server-pipe.5816" tab
                                9⤵
                                  PID:4236
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 5 -isForBrowser -prefsHandle 5540 -prefMapHandle 5544 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a797898a-695a-4949-a2aa-fe9bb33e0a36} 5816 "\\.\pipe\gecko-crash-server-pipe.5816" tab
                                  9⤵
                                    PID:5056
                            • C:\Users\Admin\AppData\Local\Temp\1014071001\ec77420635.exe
                              "C:\Users\Admin\AppData\Local\Temp\1014071001\ec77420635.exe"
                              6⤵
                              • Modifies Windows Defender Real-time Protection settings
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Windows security modification
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5488
                            • C:\Users\Admin\AppData\Local\Temp\1014072001\3583fdfb13.exe
                              "C:\Users\Admin\AppData\Local\Temp\1014072001\3583fdfb13.exe"
                              6⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5756
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 780
                                7⤵
                                • Program crash
                                PID:5524
                            • C:\Users\Admin\AppData\Local\Temp\1014073001\6ace7f8d1b.exe
                              "C:\Users\Admin\AppData\Local\Temp\1014073001\6ace7f8d1b.exe"
                              6⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              PID:6124
                              • C:\Users\Admin\AppData\Local\Temp\1014073001\6ace7f8d1b.exe
                                "C:\Users\Admin\AppData\Local\Temp\1014073001\6ace7f8d1b.exe"
                                7⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:6156
                        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2R6168.exe
                          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2R6168.exe
                          4⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4092
                      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3k12F.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3k12F.exe
                        3⤵
                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                        • Checks BIOS information in registry
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Loads dropped DLL
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • System Location Discovery: System Language Discovery
                        • Checks processor information in registry
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:3736
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                          4⤵
                          • Uses browser remote debugging
                          • Enumerates system info in registry
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of WriteProcessMemory
                          PID:1460
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb3968cc40,0x7ffb3968cc4c,0x7ffb3968cc58
                            5⤵
                              PID:2596
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,18025784762184508838,5226940231433259083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1824 /prefetch:2
                              5⤵
                                PID:4832
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2180,i,18025784762184508838,5226940231433259083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2396 /prefetch:3
                                5⤵
                                  PID:2876
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2076,i,18025784762184508838,5226940231433259083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2412 /prefetch:8
                                  5⤵
                                    PID:4556
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2436,i,18025784762184508838,5226940231433259083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
                                    5⤵
                                    • Uses browser remote debugging
                                    PID:516
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,18025784762184508838,5226940231433259083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3340 /prefetch:1
                                    5⤵
                                    • Uses browser remote debugging
                                    PID:1472
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,18025784762184508838,5226940231433259083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4516 /prefetch:1
                                    5⤵
                                    • Uses browser remote debugging
                                    PID:1264
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4800,i,18025784762184508838,5226940231433259083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4628 /prefetch:8
                                    5⤵
                                      PID:1680
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,18025784762184508838,5226940231433259083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
                                      5⤵
                                        PID:3968
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,18025784762184508838,5226940231433259083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
                                        5⤵
                                          PID:4280
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5156,i,18025784762184508838,5226940231433259083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
                                          5⤵
                                            PID:4060
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,18025784762184508838,5226940231433259083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
                                            5⤵
                                              PID:2644
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,18025784762184508838,5226940231433259083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5096 /prefetch:8
                                              5⤵
                                                PID:4344
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4808,i,18025784762184508838,5226940231433259083,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:2
                                                5⤵
                                                • Uses browser remote debugging
                                                PID:5580
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
                                              4⤵
                                              • Uses browser remote debugging
                                              • Enumerates system info in registry
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                              • Suspicious use of FindShellTrayWindow
                                              PID:2452
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ffb396946f8,0x7ffb39694708,0x7ffb39694718
                                                5⤵
                                                • Checks processor information in registry
                                                • Enumerates system info in registry
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:4584
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1408601627967386979,4566174591153262670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
                                                5⤵
                                                  PID:2256
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,1408601627967386979,4566174591153262670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
                                                  5⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:3648
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1408601627967386979,4566174591153262670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2616 /prefetch:2
                                                  5⤵
                                                    PID:5292
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,1408601627967386979,4566174591153262670,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2376 /prefetch:8
                                                    5⤵
                                                      PID:5308
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2100,1408601627967386979,4566174591153262670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
                                                      5⤵
                                                      • Uses browser remote debugging
                                                      PID:5476
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2100,1408601627967386979,4566174591153262670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
                                                      5⤵
                                                      • Uses browser remote debugging
                                                      PID:5488
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1408601627967386979,4566174591153262670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2384 /prefetch:2
                                                      5⤵
                                                        PID:5512
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1408601627967386979,4566174591153262670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2380 /prefetch:2
                                                        5⤵
                                                          PID:5528
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1408601627967386979,4566174591153262670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2360 /prefetch:2
                                                          5⤵
                                                            PID:2916
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1408601627967386979,4566174591153262670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3736 /prefetch:2
                                                            5⤵
                                                              PID:5560
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1408601627967386979,4566174591153262670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4560 /prefetch:2
                                                              5⤵
                                                                PID:5608
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1408601627967386979,4566174591153262670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2780 /prefetch:2
                                                                5⤵
                                                                  PID:5648
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1408601627967386979,4566174591153262670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4556 /prefetch:2
                                                                  5⤵
                                                                    PID:5780
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\IJJDBAEHIJ.exe"
                                                                  4⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:4440
                                                                  • C:\Users\Admin\Documents\IJJDBAEHIJ.exe
                                                                    "C:\Users\Admin\Documents\IJJDBAEHIJ.exe"
                                                                    5⤵
                                                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                    • Checks BIOS information in registry
                                                                    • Executes dropped EXE
                                                                    • Identifies Wine through registry keys
                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:808
                                                            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4g445r.exe
                                                              C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4g445r.exe
                                                              2⤵
                                                              • Modifies Windows Defender Real-time Protection settings
                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                              • Checks BIOS information in registry
                                                              • Executes dropped EXE
                                                              • Identifies Wine through registry keys
                                                              • Windows security modification
                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4752
                                                          • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                            "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                            1⤵
                                                              PID:3844
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                              1⤵
                                                                PID:2784
                                                              • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                1⤵
                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                • Checks BIOS information in registry
                                                                • Executes dropped EXE
                                                                • Identifies Wine through registry keys
                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:5080
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5756 -ip 5756
                                                                1⤵
                                                                  PID:1864
                                                                • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                  1⤵
                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                  • Checks BIOS information in registry
                                                                  • Executes dropped EXE
                                                                  • Identifies Wine through registry keys
                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:5548

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Reconnaissance

                                                                Resource Development

                                                                Initial Access

                                                                Execution

                                                                Persistence

                                                                Boot or Logon Autostart Execution

                                                                1
                                                                T1547

                                                                Registry Run Keys / Startup Folder

                                                                1
                                                                T1547.001

                                                                Create or Modify System Process

                                                                1
                                                                T1543

                                                                Windows Service

                                                                1
                                                                T1543.003

                                                                Modify Authentication Process

                                                                1
                                                                T1556

                                                                Privilege Escalation

                                                                Boot or Logon Autostart Execution

                                                                1
                                                                T1547

                                                                Registry Run Keys / Startup Folder

                                                                1
                                                                T1547.001

                                                                Create or Modify System Process

                                                                1
                                                                T1543

                                                                Windows Service

                                                                1
                                                                T1543.003

                                                                Defense Evasion

                                                                Impair Defenses

                                                                2
                                                                T1562

                                                                Disable or Modify Tools

                                                                2
                                                                T1562.001

                                                                Modify Authentication Process

                                                                1
                                                                T1556

                                                                Modify Registry

                                                                3
                                                                T1112

                                                                Virtualization/Sandbox Evasion

                                                                2
                                                                T1497

                                                                Credential Access

                                                                Credentials from Password Stores

                                                                1
                                                                T1555

                                                                Credentials from Web Browsers

                                                                1
                                                                T1555.003

                                                                Modify Authentication Process

                                                                1
                                                                T1556

                                                                Steal Web Session Cookie

                                                                1
                                                                T1539

                                                                Unsecured Credentials

                                                                4
                                                                T1552

                                                                Credentials In Files

                                                                4
                                                                T1552.001

                                                                Discovery

                                                                Browser Information Discovery

                                                                1
                                                                T1217

                                                                Query Registry

                                                                8
                                                                T1012

                                                                System Information Discovery

                                                                5
                                                                T1082

                                                                System Location Discovery

                                                                1
                                                                T1614

                                                                System Language Discovery

                                                                1
                                                                T1614.001

                                                                Virtualization/Sandbox Evasion

                                                                2
                                                                T1497

                                                                Lateral Movement

                                                                Collection

                                                                Data from Local System

                                                                3
                                                                T1005

                                                                Command and Control

                                                                Exfiltration

                                                                Impact

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\ProgramData\mozglue.dll
                                                                  Filesize

                                                                  593KB

                                                                  MD5

                                                                  c8fd9be83bc728cc04beffafc2907fe9

                                                                  SHA1

                                                                  95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                  SHA256

                                                                  ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                  SHA512

                                                                  fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                  Download Submit

                                                                • C:\ProgramData\nss3.dll
                                                                  Filesize

                                                                  2.0MB

                                                                  MD5

                                                                  1cc453cdf74f31e4d913ff9c10acdde2

                                                                  SHA1

                                                                  6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                                  SHA256

                                                                  ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                                  SHA512

                                                                  dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                                                  Filesize

                                                                  649B

                                                                  MD5

                                                                  ec8b16a8a93abd4ca4a59ce0a90180e5

                                                                  SHA1

                                                                  3a618c90d9c19b739f1ad6a7f4b26c31b5888748

                                                                  SHA256

                                                                  57d390ed42469d5415a2452b6362e5ca6820d16d23d3432eb06d5ae72cc86a32

                                                                  SHA512

                                                                  8c438acf474b3684c0374b8c33788c500d352bd38e84feba48f0a7eb6aec319b79badf0ad34cbd13d18ff33e6e30eebcc44e4067c155e49949537c4c972e942e

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json
                                                                  Filesize

                                                                  851B

                                                                  MD5

                                                                  07ffbe5f24ca348723ff8c6c488abfb8

                                                                  SHA1

                                                                  6dc2851e39b2ee38f88cf5c35a90171dbea5b690

                                                                  SHA256

                                                                  6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

                                                                  SHA512

                                                                  7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json
                                                                  Filesize

                                                                  854B

                                                                  MD5

                                                                  4ec1df2da46182103d2ffc3b92d20ca5

                                                                  SHA1

                                                                  fb9d1ba3710cf31a87165317c6edc110e98994ce

                                                                  SHA256

                                                                  6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

                                                                  SHA512

                                                                  939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                  Filesize

                                                                  2B

                                                                  MD5

                                                                  d751713988987e9331980363e24189ce

                                                                  SHA1

                                                                  97d170e1550eee4afc0af065b78cda302a97674c

                                                                  SHA256

                                                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                  SHA512

                                                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
                                                                  Filesize

                                                                  150B

                                                                  MD5

                                                                  9cf9bb881d0d6f59f23a1a0a833a9076

                                                                  SHA1

                                                                  b273ae9bb9769d89399a695bc688b07f24024eb6

                                                                  SHA256

                                                                  76b98ae2595d994ca7d05060f7a5f23b98b7ce08c948e707ab44d0d7aaea8139

                                                                  SHA512

                                                                  5026f65929d9a96dac4e6a4aafd714e330cb514b46f2369fd9f7ef780255909a33e4fd9fa28fabfb325deda9c70bab6b6c1420dcfe29d11c3261daad2d730ea4

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\cd2f98c2-a3a4-42f4-89bf-8f0c98d9a4c8.dmp
                                                                  Filesize

                                                                  10.5MB

                                                                  MD5

                                                                  ae93c735064e21e2e4525b4fb0ecb6c8

                                                                  SHA1

                                                                  74904b0f42c2c71c2bdf9581728b95f855a1b0a4

                                                                  SHA256

                                                                  45649acd5e8b00f4d15379934fe256bd4c765767281516fe239e0adda147eacb

                                                                  SHA512

                                                                  597d68e61ad3156a401b38204d8c8d2193ad77605664e27737de167c94178d018280f72449102d3cdb960e0b9e0480a3c1346026094b6cfb5718962fed5f7209

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                  Filesize

                                                                  152B

                                                                  MD5

                                                                  e443ee4336fcf13c698b8ab5f3c173d0

                                                                  SHA1

                                                                  9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

                                                                  SHA256

                                                                  79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

                                                                  SHA512

                                                                  cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                  Filesize

                                                                  152B

                                                                  MD5

                                                                  56a4f78e21616a6e19da57228569489b

                                                                  SHA1

                                                                  21bfabbfc294d5f2aa1da825c5590d760483bc76

                                                                  SHA256

                                                                  d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

                                                                  SHA512

                                                                  c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\37103f54-9ba2-4681-93ff-b0c2726073b4.tmp
                                                                  Filesize

                                                                  1B

                                                                  MD5

                                                                  5058f1af8388633f609cadb75a75dc9d

                                                                  SHA1

                                                                  3a52ce780950d4d969792a2559cd519d7ee8c727

                                                                  SHA256

                                                                  cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                                  SHA512

                                                                  0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                  Filesize

                                                                  5KB

                                                                  MD5

                                                                  67502caaeb485f37da163a58312483bb

                                                                  SHA1

                                                                  04237f0bb3b01e5758d0d03cdfb601dd5a9dcd31

                                                                  SHA256

                                                                  c42699c6b8f5f2d01ba2ff492b5654df8b7233ed3ecd6064d4cb5bd92fcdc5f3

                                                                  SHA512

                                                                  d6bf9663c4b7e6a1f15776aab6748ccd2243007e07bfa914e948cba9d1073d344b391c6f4674ccc3fbf0096ebc5640546bfaf95c7ae80e38afa53fb87b27ffab

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                                                                  Filesize

                                                                  264KB

                                                                  MD5

                                                                  f50f89a0a91564d0b8a211f8921aa7de

                                                                  SHA1

                                                                  112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                  SHA256

                                                                  b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                  SHA512

                                                                  bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HA5FC889\download[1].htm
                                                                  Filesize

                                                                  1B

                                                                  MD5

                                                                  cfcd208495d565ef66e7dff9f98764da

                                                                  SHA1

                                                                  b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                  SHA256

                                                                  5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                  SHA512

                                                                  31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json
                                                                  Filesize

                                                                  18KB

                                                                  MD5

                                                                  b00e9d37dd8a61c35a7027d28f3d4a34

                                                                  SHA1

                                                                  beea4f9cc3e33876be06d3cbbbc53bf473dd2bd2

                                                                  SHA256

                                                                  343defa9ac5be26d84b0311d83ab639b70fb66fa6bbb5e89ccc900010596ee29

                                                                  SHA512

                                                                  df2c98d9a1bb8be4c1e5332578b76d45e275757ba9e3eb4c8b20909e906635e240f4ae13977523e9496d71145b77b10310ea70cda693f5a3b0369770ae12ce1b

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
                                                                  Filesize

                                                                  13KB

                                                                  MD5

                                                                  d7d155349c896725d87aa6353e23a1d1

                                                                  SHA1

                                                                  7e7ab55478c35643fc99a9b4443095cfa6943da0

                                                                  SHA256

                                                                  89450743a4f2edfa052cee864575a0274371001ca8919fab12a754e12eba462d

                                                                  SHA512

                                                                  015130a0276d063b15993360babac767e4d923d258209fab7cc8751e3ba1905c7771a3a749febd9920ec2c4b642f95d7b29a462896e2fbbaf5d7c6f37a1a84bf

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                                                                  Filesize

                                                                  15KB

                                                                  MD5

                                                                  96c542dec016d9ec1ecc4dddfcbaac66

                                                                  SHA1

                                                                  6199f7648bb744efa58acf7b96fee85d938389e4

                                                                  SHA256

                                                                  7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                                                                  SHA512

                                                                  cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe
                                                                  Filesize

                                                                  1.7MB

                                                                  MD5

                                                                  ac1f270bd43a0c8717ae8defeec9aa56

                                                                  SHA1

                                                                  d5cf700b8c5fbed732d0a7ddc2e220445e37e422

                                                                  SHA256

                                                                  c3a4921613eba9ac79a2aca73843c28d1894f17ef49a451540f4b6f40f9f12db

                                                                  SHA512

                                                                  5afbc7252116384444d24c566f6a75aaf6de0aa142547b8063a04997a28fd0ae996558da5e16789170c702aaaca4d032e9939628ffa62fb3dd9129c96b91c9e6

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\1014060001\3ed2172d0d.exe
                                                                  Filesize

                                                                  710KB

                                                                  MD5

                                                                  28e568616a7b792cac1726deb77d9039

                                                                  SHA1

                                                                  39890a418fb391b823ed5084533e2e24dff021e1

                                                                  SHA256

                                                                  9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2

                                                                  SHA512

                                                                  85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\1014067001\cbbcf6446e.exe
                                                                  Filesize

                                                                  2.5MB

                                                                  MD5

                                                                  2a78ce9f3872f5e591d643459cabe476

                                                                  SHA1

                                                                  9ac947dfc71a868bc9c2eb2bd78dfb433067682e

                                                                  SHA256

                                                                  21a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae

                                                                  SHA512

                                                                  03e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\1014068001\c4c7d88f61.exe
                                                                  Filesize

                                                                  1.8MB

                                                                  MD5

                                                                  08e94750025a3f3bcb66a0ca315e6cd5

                                                                  SHA1

                                                                  8a8c4d7798398961dcd7e15498113e99d772b413

                                                                  SHA256

                                                                  042b1fec2226127339d5617c4d5619f00368a1a29482d22ee9af2677bf6ed5b8

                                                                  SHA512

                                                                  0406e9c66b9d529cc00505f6de7c659e60ab1a540f526f72dbe8414d998778134cbe3cadf164fc84ba8a074f20dd43a45b07e7edac3bb244794c3890fa469889

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\1014069001\69cd7bea48.exe
                                                                  Filesize

                                                                  1.8MB

                                                                  MD5

                                                                  73d405f0df578e1ed00dfeba1b9c5a93

                                                                  SHA1

                                                                  37b57abf91513bc85b27e4c4ae85b75ff87898e1

                                                                  SHA256

                                                                  6f522eff93b41e3abe50bca8df761fd0e6313117578f3abc7e3f348eaebdabc3

                                                                  SHA512

                                                                  5b2b66e9cc75ca7d0322b6af3b4f6b9c54034de22f9a06372e5acae0aec6761be01ef6b6877619963dc5771f9063ab3648c8db390945a9db0e9503f66d9eba74

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\1014070001\4248fb6d4d.exe
                                                                  Filesize

                                                                  945KB

                                                                  MD5

                                                                  dfcf9aed4ef053c895af85be24a590b6

                                                                  SHA1

                                                                  573f6e80824cc5283fa36ecd0f7af4e20fb5ff84

                                                                  SHA256

                                                                  da9096163edb680d23db15f15ad3aace3b0958ef9d132fa826f1f2e877849f15

                                                                  SHA512

                                                                  1e31470b161b5dea01f0959e828bb930444bd457e757de3727935f5b2d4a0dcb78ae80c97521c8d73bb9193b3628bccdc1cbf725d64bed84c15e6bb6d7ad31e8

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\1014071001\ec77420635.exe
                                                                  Filesize

                                                                  2.6MB

                                                                  MD5

                                                                  dc5bc268caccf12fd6319ef3c9a10a51

                                                                  SHA1

                                                                  1f2e3d96fbc4a671d241bd98df292c399d2065d3

                                                                  SHA256

                                                                  f1644ce2dd236f32130a064d94b4e7bef23869d1431f9aedfb7744dd1032a3c0

                                                                  SHA512

                                                                  36fa488d0fb1ae07aa2928a69c2dd9b6c521c50b3ee6eed17f516daeafdd66d9b831caae19a3e6be981e6c249e7f4ad8b3338920b8b6761ae07265272596b8d4

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\1014072001\3583fdfb13.exe
                                                                  Filesize

                                                                  1.9MB

                                                                  MD5

                                                                  2b35e5f7e4348426c4d64c4cf29cb606

                                                                  SHA1

                                                                  033ed58108645f07d134a89588eb3b0d520d26e7

                                                                  SHA256

                                                                  2e65a1034725bccb50d7c9f5c838c61ae9b9cb1ee4fa335e093e769665904d8a

                                                                  SHA512

                                                                  ebfff45da4af36e33f591037b43b6673435c3e6035ccd664e0f6ec732f31d0a7b943fd372c02a1aafc8e606c752106f41d239d045230fadf1353347131cbfe49

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4g445r.exe
                                                                  Filesize

                                                                  2.7MB

                                                                  MD5

                                                                  07df0ca2efa663656921765b094f6ade

                                                                  SHA1

                                                                  cf77c41d3b34051fb091198d4d919b4902286282

                                                                  SHA256

                                                                  f2ed88fc61e9dcd459aef1b3bd354d28399f7e02d50fac27841eb7d6a085420d

                                                                  SHA512

                                                                  efb6857aafe710f41137431242233d048ba88c4e858ac6ddd16b5c15ccbef0ab9bf4c728eb7bbe92bf5cec041a6e4485d48ef0ba9d3ee37b2a2c48701031c533

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X5Z13.exe
                                                                  Filesize

                                                                  5.3MB

                                                                  MD5

                                                                  7972220c9b23d05c161ca91d96205b1b

                                                                  SHA1

                                                                  f920c288705050dfaa76112dd006b436593738bc

                                                                  SHA256

                                                                  ccbc9382fe77b8cdc46c3b30993797d0f6f74f2c9b56011fdbfdc4983bfd3d58

                                                                  SHA512

                                                                  e0c5a0d7bb1c28180aecfef3540a10215045698f551d59542b5d9f34443335e6055d6445c7cd5b127a52ad3beb00fad7607e5141951b7ad08439f0dcf7eb8597

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3k12F.exe
                                                                  Filesize

                                                                  1.7MB

                                                                  MD5

                                                                  e3dfbe72de430b4043393fb8ff8e2384

                                                                  SHA1

                                                                  47fc80752fa0339680a1b3cb3d4b1ba5d0a502c5

                                                                  SHA256

                                                                  2a78168b664e599c73fae2fb2f42c2198a7eb21453f8125e8393cde02129e101

                                                                  SHA512

                                                                  e9b40a49f868e2c36d706b4075b538d243f9e844cb0169985c3f03fe7dd0d60aec28374a2a1ca5c473efa9237f867e371f746e752ecf75c3c1c8f56e60c4a461

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\K8M22.exe
                                                                  Filesize

                                                                  3.5MB

                                                                  MD5

                                                                  6e870fac7336b15500ab25320aa847b4

                                                                  SHA1

                                                                  504066ff25faf62d0437a87e18757f02119845e0

                                                                  SHA256

                                                                  cf4fcbe212ab78c634a9878ab3a142ee94167817aa0545a67466323c3953e68f

                                                                  SHA512

                                                                  1e493ca01676d4db9cd0e563073d775c2bd26879db3168ce0f7da512d68bad536b4a8a30e01839ad1ec68c7425afcf7c2f05b26cd507af097419c8c773b57d2b

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1v90C3.exe
                                                                  Filesize

                                                                  3.0MB

                                                                  MD5

                                                                  071fd9342e197ab323e93e0395fadbd0

                                                                  SHA1

                                                                  23bac802089af599de74f3f43c82319bad647a53

                                                                  SHA256

                                                                  4b06b24b08b2b0a529474760b14024946d20d1c33b2ce78ea954a0b869e6d9cb

                                                                  SHA512

                                                                  abcaabf8532249f2244e2c31727fea6060b8aadf8897a508102c10f0a432f0e221a7117336d852e34473eef66f343013de6498f8e5a7d84f2da0e9d8fe7a436a

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2R6168.exe
                                                                  Filesize

                                                                  1.8MB

                                                                  MD5

                                                                  5fb2b7580911f21bbb4796c243f64201

                                                                  SHA1

                                                                  749b297f4236e65c1537e0d78f338a703fe5fc17

                                                                  SHA256

                                                                  249ce266acab1c44290fc30a908803ffd4e15ebfb49a86934a6b1c7f8e87d7b9

                                                                  SHA512

                                                                  c2fd8afe879c1a8d4b3f35a1634ed5d30447b07bbfefa3e583ebd9b2cebfcd6f97faafd72ca39930c2fa66a996742bbb489dcc8e12c15dba861866cab889ae3a

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\scoped_dir1460_1169685222\26d37e56-5bbc-40fb-9af4-1e0a80ecbc8a.tmp
                                                                  Filesize

                                                                  135KB

                                                                  MD5

                                                                  3f6f93c3dccd4a91c4eb25c7f6feb1c1

                                                                  SHA1

                                                                  9b73f46adfa1f4464929b408407e73d4535c6827

                                                                  SHA256

                                                                  19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

                                                                  SHA512

                                                                  d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\scoped_dir1460_1169685222\CRX_INSTALL\_locales\en_CA\messages.json
                                                                  Filesize

                                                                  711B

                                                                  MD5

                                                                  558659936250e03cc14b60ebf648aa09

                                                                  SHA1

                                                                  32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

                                                                  SHA256

                                                                  2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

                                                                  SHA512

                                                                  1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                                  Filesize

                                                                  479KB

                                                                  MD5

                                                                  09372174e83dbbf696ee732fd2e875bb

                                                                  SHA1

                                                                  ba360186ba650a769f9303f48b7200fb5eaccee1

                                                                  SHA256

                                                                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                                                                  SHA512

                                                                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                                  Filesize

                                                                  13.8MB

                                                                  MD5

                                                                  0a8747a2ac9ac08ae9508f36c6d75692

                                                                  SHA1

                                                                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                                                                  SHA256

                                                                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                                                                  SHA512

                                                                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin
                                                                  Filesize

                                                                  13KB

                                                                  MD5

                                                                  9325095781d05137265e7d1976e6a2f5

                                                                  SHA1

                                                                  e2d600c46eed37f32f68ca309f527c3b6c3864ee

                                                                  SHA256

                                                                  d34794369622a2bf7d33e3c33c4985fa1a588c9d0a02944b698d2572326cfa8a

                                                                  SHA512

                                                                  d088079a0d1b781a159009e0883bcf6f5e6b28cc2f4b72f66f5ab4480b77d5fddbc19773891b5aac29cb7ba9f9aef3df8965fa2ab78a7fc729fd8e6433032d5e

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.bin
                                                                  Filesize

                                                                  22KB

                                                                  MD5

                                                                  5cdc004f215b660613f5dac1003f047e

                                                                  SHA1

                                                                  94b849c70277fb1763d2b231b173be93fce9edc9

                                                                  SHA256

                                                                  99f4639150331c2cfecb00815fca6c58914389a671e6cf006aa65d40ada32cb2

                                                                  SHA512

                                                                  304c4a41e244f8ba710b1ac64278ea18f32d78af6eb8c5643634920cbc6ae5c3a8910f4f7ee8104b24c4f049d805ca868e48e9480992c0ded6470025dd829ae2

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.bin
                                                                  Filesize

                                                                  5KB

                                                                  MD5

                                                                  aaaefaf416a1da8e2207f434cfdca232

                                                                  SHA1

                                                                  bdfa341cd90ff99bb27b645fdacf7142788277b4

                                                                  SHA256

                                                                  1ea2a87be6af439378e1afb8d99dc46ac6699d73e416ab663606952fa95dc78b

                                                                  SHA512

                                                                  b2a857709355427c0a0fee0a58ffc11a672f66a4f37c98bbe7fa3127dc1d20112ce1c50dbe66c1fa456a1d15fad001014964bf05c77c08efe3867d9d695664bf

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.bin
                                                                  Filesize

                                                                  14KB

                                                                  MD5

                                                                  19680de7f8cdd46100cc98bfda1f9e59

                                                                  SHA1

                                                                  bf90aa0ee4edcb33ddf0086622ccffb21417b977

                                                                  SHA256

                                                                  5700b0cc1bb054b898e86a645c6033a567f7d9225c8b65fcdf63061965d227a8

                                                                  SHA512

                                                                  5acf28239e468469645068540d4882def045d16a420e639172beacc317202bb518a270935043a32f378f87263f8bbd54259ca91418c09287296d98ed9f65088e

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
                                                                  Filesize

                                                                  5KB

                                                                  MD5

                                                                  9862ba1220b6840995055fae401e3657

                                                                  SHA1

                                                                  0484f8c999a92ace7ea498817d64bb1ff0b46660

                                                                  SHA256

                                                                  1d840b3999aadd482e3d5cec02535a4c8fe4d7bb350d73bc50f421c754be19af

                                                                  SHA512

                                                                  a6830b52363fa49a571a2c1f2f09653d59ee2ec4a4688de28f4d0af3ed3096d0753cc4cb3f0b969ab927a694b94abdb22f694c5ec04a1717d1707289050ba83f

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  3b5d404760bbb17deedf7ca04df141b1

                                                                  SHA1

                                                                  f5c1a121c6e2a60376d40ad0fc468265c7845ff9

                                                                  SHA256

                                                                  dd040dcdbcf22faf3f610a012359f7977bce4248ebc346f63eb4aa105c48b9b0

                                                                  SHA512

                                                                  c9474e7c796010798c6b65d81d52a38c0dd15eddc6c0a2df88c7a7c0ce20280900d219decfaef0815cde8bc063ee547a679f98fb8b7ff0c3dff1c6bb8fbfbfdb

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
                                                                  Filesize

                                                                  15KB

                                                                  MD5

                                                                  d3fdb4aab7650050995a12588ecc2a9c

                                                                  SHA1

                                                                  11568f4442fdd619ba7d7752d9ffa249a4bc9517

                                                                  SHA256

                                                                  6b153b7da7e1509090ac7aac5a31649e8e8c448fe31205953621ba0a69d46144

                                                                  SHA512

                                                                  859ad3dcfac11842199dee21874a60b4d53abb0692f7ff1bcc13c45dcef739dff19cf5aafff061fc6594adaf0d489cfb81b915a54f276d9ad6e835117e73eeb9

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
                                                                  Filesize

                                                                  6KB

                                                                  MD5

                                                                  d70e5508e91377804564b7d5f62d0be3

                                                                  SHA1

                                                                  a82b5e753e63fd27ff903fa4bb39e8aad4aeab57

                                                                  SHA256

                                                                  692bbe00772d67d31c3c77567e6f725e7dc350f52d99dd6cedc28dc059cdeda6

                                                                  SHA512

                                                                  3bb7ffb99b996f2a0b0d63549b795e621aa03de42edfb9b643bf8c58d6135cf9cc5ab855290c83583e7c94f44f020f56f5de0676fb7e013908450f88e4417e0d

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
                                                                  Filesize

                                                                  15KB

                                                                  MD5

                                                                  ed274d38a88865914a7fccc5ba8889e3

                                                                  SHA1

                                                                  31630277c2261bbb517492226338c39875176e3c

                                                                  SHA256

                                                                  6eec02cf6deae95a34afee422e525882ec90ef137f6746f19c9ac90904a150b5

                                                                  SHA512

                                                                  bd82ba0b7d1396f3fecaae7265f9c3d43bea56127f2d19906dad53ec8f3269e2f578472689b351e86b67b0b275cb1a40ffb5180a697b33c86d729cbe31829309

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\15ca4c90-1e25-4454-a7d7-1d0e334ff00b
                                                                  Filesize

                                                                  24KB

                                                                  MD5

                                                                  fec56a8cf6196c9b3a8c5298d613ddd9

                                                                  SHA1

                                                                  a146bcf8e24ba97d0885caca2c7ee1b3c58cb60c

                                                                  SHA256

                                                                  892d2290cb8fb3aeced8040f5b9370c6f1a2c7a3bce3daeb0d88268d6e295080

                                                                  SHA512

                                                                  56c6ea8e3bf6df6382d5648a6caaffccfbfea06d5921fe2c7ea656126ba754328d07cc053fd73140984b7d1cdc72ee372ef047515eefc142beb0de741488e105

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\1e8a8eae-1787-4a4b-88ad-36f71aa1faa4
                                                                  Filesize

                                                                  671B

                                                                  MD5

                                                                  023de603d50e6563f6920a85e9dafa75

                                                                  SHA1

                                                                  b2a84b890dcb91b6065cb9f7e2d1ae36e0ddfad0

                                                                  SHA256

                                                                  909cccad5308d20f95c024080a09c150c32e3f37f955f111b3b5fa7ffe39ded2

                                                                  SHA512

                                                                  bc6385361ec0de451fa944c4dd9dbceb1289f2a51488f1489877b853d5fb8a5c761d9d92d8037685abca068317fc95ea1eee0b19f996e28645bc8af31af39bcf

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\4d602c23-c9c6-4070-8383-f63c75110ed6
                                                                  Filesize

                                                                  982B

                                                                  MD5

                                                                  8ababc2af6fab8109ed63fc4c7293901

                                                                  SHA1

                                                                  367eac8338280f7f5ef7794e8b671695493272f2

                                                                  SHA256

                                                                  3d173ec1bc9c4cb15dd28d3cd3a68e6f7d855beb2c5fe80070e3d39dc344f6d3

                                                                  SHA512

                                                                  5b946ab46b2d839b95abb91e9ef344739068b8b6a30575c65e5eb29ca05e85844f88f1c4bb2af213e13c84ff5038debffac5121d3a36005f0d80b2b4b93251da

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                                                                  Filesize

                                                                  1.1MB

                                                                  MD5

                                                                  842039753bf41fa5e11b3a1383061a87

                                                                  SHA1

                                                                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                                                                  SHA256

                                                                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                                                                  SHA512

                                                                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                                                                  Filesize

                                                                  116B

                                                                  MD5

                                                                  2a461e9eb87fd1955cea740a3444ee7a

                                                                  SHA1

                                                                  b10755914c713f5a4677494dbe8a686ed458c3c5

                                                                  SHA256

                                                                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                                                                  SHA512

                                                                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                                                                  Filesize

                                                                  372B

                                                                  MD5

                                                                  bf957ad58b55f64219ab3f793e374316

                                                                  SHA1

                                                                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                                                                  SHA256

                                                                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                                                                  SHA512

                                                                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                                                                  Filesize

                                                                  17.8MB

                                                                  MD5

                                                                  daf7ef3acccab478aaa7d6dc1c60f865

                                                                  SHA1

                                                                  f8246162b97ce4a945feced27b6ea114366ff2ad

                                                                  SHA256

                                                                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                                                                  SHA512

                                                                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js
                                                                  Filesize

                                                                  15KB

                                                                  MD5

                                                                  88b7459b48d512b814c5454dd2051b59

                                                                  SHA1

                                                                  de235f6fefe4c8d11924354d30525e1929aa5c66

                                                                  SHA256

                                                                  1d3e774e764cbf6e5e5a803ecd90ccfa0a51b72b40b452132ae5e2322c12765b

                                                                  SHA512

                                                                  6f47613e80a49178bb85fd55b5a1b2808f51d431c1fdd44283a372cd109a50ed06a8a708eda148abaab3334f892636f51c99f556704640155bf6ab343ebb19b7

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js
                                                                  Filesize

                                                                  10KB

                                                                  MD5

                                                                  8dd00c8cfb3b246da5decf555fc295d9

                                                                  SHA1

                                                                  47d6ba3b74d287dad18fdd56c92a443a951c2060

                                                                  SHA256

                                                                  ca9102e77e32803ecdd5c3394896aeb3d8e79df519a86a092cad2dfee2090ac0

                                                                  SHA512

                                                                  8fc9de592333090e8fd394d7fe599acd590d674f37fbb0eb2b0cb12c4fbc68d743c8bf60e07e4b4891d8bf6eb4128a938c4569bf7b4040b8ab4d58320ac679f2

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js
                                                                  Filesize

                                                                  11KB

                                                                  MD5

                                                                  c2da24d9e6493f4f6ad853a71361d24a

                                                                  SHA1

                                                                  8fefe51650838f6ee0e10d961de1d4d59003cac6

                                                                  SHA256

                                                                  2e5090a0f162354068e7636a5a7a29299ce8275885fd80cde3d592461bcccc6f

                                                                  SHA512

                                                                  16cec6c989186319369c021ae4c51cfe0ca372e96ad5e5b06219417c6fa241e98ccea5d54e2bfed8f221cc36319c87776f02d6ffdbf73fc852887befe93ff836

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js
                                                                  Filesize

                                                                  11KB

                                                                  MD5

                                                                  92d6649fa8312412b8ae05f7398a3b4a

                                                                  SHA1

                                                                  ed0a54121eaa7ede59d500e314758de20379e7c4

                                                                  SHA256

                                                                  fdb0f64ec2463b53bbf4a3186e30efdbd6ff5288d164342b39ba76661db73901

                                                                  SHA512

                                                                  c2745bcf3933c3a4b7321bb5429be6f6c0e833d7bb7a515a3fd1be9d241b3fa09fe81005747c20107dfbba799d518e666d9e654b6ade67a918c988652982ea44

                                                                  Download Submit

                                                                • C:\Users\Admin\Documents\IJJDBAEHIJ.exe
                                                                  Filesize

                                                                  3.1MB

                                                                  MD5

                                                                  78561666eff98f5ad571790ebcc3b012

                                                                  SHA1

                                                                  be60ffcdb5f1800674581eb3d7ba88a7e88fbf50

                                                                  SHA256

                                                                  debf4f87bb82c188c8eb20a5a2d63d89ed0f0722c423e431f8a7e29bc3301908

                                                                  SHA512

                                                                  669760113c6a03ec6a706a8b3d0dd9c4e142ee5beb8bd6582e6e5ed76b4bf3f60deaf921957d168a0d65533ceea04aa74290e065fdb6ac1a5951921ad26f5c53

                                                                  Download Submit

                                                                • memory/808-746-0x00000000009E0000-0x0000000000D05000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/808-719-0x00000000009E0000-0x0000000000D05000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/840-66-0x0000000007670000-0x0000000007702000-memory.dmp

                                                                  Filesize

                                                                  584KB

                                                                  Download

                                                                • memory/840-562-0x00000000004A0000-0x00000000008FE000-memory.dmp

                                                                  Filesize

                                                                  4.4MB

                                                                  Download

                                                                • memory/840-63-0x00000000004A0000-0x00000000008FE000-memory.dmp

                                                                  Filesize

                                                                  4.4MB

                                                                  Download

                                                                • memory/840-64-0x00000000004A0000-0x00000000008FE000-memory.dmp

                                                                  Filesize

                                                                  4.4MB

                                                                  Download

                                                                • memory/840-65-0x00000000004A0000-0x00000000008FE000-memory.dmp

                                                                  Filesize

                                                                  4.4MB

                                                                  Download

                                                                • memory/840-68-0x0000000007A20000-0x0000000007A86000-memory.dmp

                                                                  Filesize

                                                                  408KB

                                                                  Download

                                                                • memory/840-106-0x0000000009290000-0x0000000009834000-memory.dmp

                                                                  Filesize

                                                                  5.6MB

                                                                  Download

                                                                • memory/840-525-0x00000000004A0000-0x00000000008FE000-memory.dmp

                                                                  Filesize

                                                                  4.4MB

                                                                  Download

                                                                • memory/2976-123-0x0000000000400000-0x0000000000457000-memory.dmp

                                                                  Filesize

                                                                  348KB

                                                                  Download

                                                                • memory/2976-125-0x0000000000400000-0x0000000000457000-memory.dmp

                                                                  Filesize

                                                                  348KB

                                                                  Download

                                                                • memory/2976-127-0x0000000000400000-0x0000000000457000-memory.dmp

                                                                  Filesize

                                                                  348KB

                                                                  Download

                                                                • memory/3016-21-0x00000000002B0000-0x00000000005BE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3016-35-0x00000000002B0000-0x00000000005BE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-97-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-2037-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-1613-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-3460-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-722-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-656-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-4329-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-1582-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-772-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-4334-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-4333-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-32-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-4320-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-67-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-4335-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3100-586-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/3736-721-0x00000000004A0000-0x0000000000B35000-memory.dmp

                                                                  Filesize

                                                                  6.6MB

                                                                  Download

                                                                • memory/3736-706-0x00000000004A0000-0x0000000000B35000-memory.dmp

                                                                  Filesize

                                                                  6.6MB

                                                                  Download

                                                                • memory/3736-52-0x00000000004A0000-0x0000000000B35000-memory.dmp

                                                                  Filesize

                                                                  6.6MB

                                                                  Download

                                                                • memory/3736-610-0x00000000004A0000-0x0000000000B35000-memory.dmp

                                                                  Filesize

                                                                  6.6MB

                                                                  Download

                                                                • memory/3736-77-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                  Filesize

                                                                  972KB

                                                                  Download

                                                                • memory/3736-515-0x00000000004A0000-0x0000000000B35000-memory.dmp

                                                                  Filesize

                                                                  6.6MB

                                                                  Download

                                                                • memory/3736-514-0x00000000004A0000-0x0000000000B35000-memory.dmp

                                                                  Filesize

                                                                  6.6MB

                                                                  Download

                                                                • memory/4092-40-0x0000000000540000-0x00000000009E2000-memory.dmp

                                                                  Filesize

                                                                  4.6MB

                                                                  Download

                                                                • memory/4092-39-0x0000000000540000-0x00000000009E2000-memory.dmp

                                                                  Filesize

                                                                  4.6MB

                                                                  Download

                                                                • memory/4172-743-0x0000000000B70000-0x000000000121C000-memory.dmp

                                                                  Filesize

                                                                  6.7MB

                                                                  Download

                                                                • memory/4172-750-0x0000000000B70000-0x000000000121C000-memory.dmp

                                                                  Filesize

                                                                  6.7MB

                                                                  Download

                                                                • memory/4752-748-0x0000000000F40000-0x00000000011F6000-memory.dmp

                                                                  Filesize

                                                                  2.7MB

                                                                  Download

                                                                • memory/4752-1346-0x0000000000F40000-0x00000000011F6000-memory.dmp

                                                                  Filesize

                                                                  2.7MB

                                                                  Download

                                                                • memory/4752-726-0x0000000000F40000-0x00000000011F6000-memory.dmp

                                                                  Filesize

                                                                  2.7MB

                                                                  Download

                                                                • memory/4752-747-0x0000000000F40000-0x00000000011F6000-memory.dmp

                                                                  Filesize

                                                                  2.7MB

                                                                  Download

                                                                • memory/4752-773-0x0000000000F40000-0x00000000011F6000-memory.dmp

                                                                  Filesize

                                                                  2.7MB

                                                                  Download

                                                                • memory/4756-4208-0x0000000000E30000-0x00000000012F1000-memory.dmp

                                                                  Filesize

                                                                  4.8MB

                                                                  Download

                                                                • memory/4756-752-0x0000000000E30000-0x00000000012F1000-memory.dmp

                                                                  Filesize

                                                                  4.8MB

                                                                  Download

                                                                • memory/4756-705-0x0000000000E30000-0x00000000012F1000-memory.dmp

                                                                  Filesize

                                                                  4.8MB

                                                                  Download

                                                                • memory/4756-1535-0x0000000000E30000-0x00000000012F1000-memory.dmp

                                                                  Filesize

                                                                  4.8MB

                                                                  Download

                                                                • memory/4756-4325-0x0000000000E30000-0x00000000012F1000-memory.dmp

                                                                  Filesize

                                                                  4.8MB

                                                                  Download

                                                                • memory/4756-1608-0x0000000000E30000-0x00000000012F1000-memory.dmp

                                                                  Filesize

                                                                  4.8MB

                                                                  Download

                                                                • memory/4756-1846-0x0000000000E30000-0x00000000012F1000-memory.dmp

                                                                  Filesize

                                                                  4.8MB

                                                                  Download

                                                                • memory/4756-3319-0x0000000000E30000-0x00000000012F1000-memory.dmp

                                                                  Filesize

                                                                  4.8MB

                                                                  Download

                                                                • memory/4756-771-0x0000000000E30000-0x00000000012F1000-memory.dmp

                                                                  Filesize

                                                                  4.8MB

                                                                  Download

                                                                • memory/5080-744-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/5080-751-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/5168-707-0x0000000000400000-0x0000000000457000-memory.dmp

                                                                  Filesize

                                                                  348KB

                                                                  Download

                                                                • memory/5488-792-0x00000000003F0000-0x00000000006A0000-memory.dmp

                                                                  Filesize

                                                                  2.7MB

                                                                  Download

                                                                • memory/5488-1599-0x00000000003F0000-0x00000000006A0000-memory.dmp

                                                                  Filesize

                                                                  2.7MB

                                                                  Download

                                                                • memory/5488-801-0x00000000003F0000-0x00000000006A0000-memory.dmp

                                                                  Filesize

                                                                  2.7MB

                                                                  Download

                                                                • memory/5488-802-0x00000000003F0000-0x00000000006A0000-memory.dmp

                                                                  Filesize

                                                                  2.7MB

                                                                  Download

                                                                • memory/5488-1596-0x00000000003F0000-0x00000000006A0000-memory.dmp

                                                                  Filesize

                                                                  2.7MB

                                                                  Download

                                                                • memory/5548-4323-0x00000000005E0000-0x00000000008EE000-memory.dmp

                                                                  Filesize

                                                                  3.1MB

                                                                  Download

                                                                • memory/5756-1877-0x0000000000400000-0x0000000000C79000-memory.dmp

                                                                  Filesize

                                                                  8.5MB

                                                                  Download

                                                                • memory/5756-3400-0x0000000000400000-0x0000000000C79000-memory.dmp

                                                                  Filesize

                                                                  8.5MB

                                                                  Download

                                                                • memory/5756-3435-0x0000000000400000-0x0000000000C79000-memory.dmp

                                                                  Filesize

                                                                  8.5MB

                                                                  Download

                                                                • memory/5756-1610-0x0000000000400000-0x0000000000C79000-memory.dmp

                                                                  Filesize

                                                                  8.5MB

                                                                  Download

                                                                • memory/5756-1591-0x0000000010000000-0x000000001001C000-memory.dmp

                                                                  Filesize

                                                                  112KB

                                                                  Download

                                                                • memory/5756-1609-0x0000000000400000-0x0000000000C79000-memory.dmp

                                                                  Filesize

                                                                  8.5MB

                                                                  Download

                                                                • memory/5756-1557-0x0000000000400000-0x0000000000C79000-memory.dmp

                                                                  Filesize

                                                                  8.5MB

                                                                  Download