vidar | 8b34e6283a4e30009a0ad792723817cfb0d5cdbbbe119948aa6e887bd59e1620

max time kernel
366s
max time network
573s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66bddfcb52736_vidar.exe
Size

190KB
MD5

fedb687ed23f77925b35623027f799bb
SHA1

7f27d0290ecc2c81bf2b2d0fa1026f54fd687c81
SHA256

325396d5ffca8546730b9a56c2d0ed99238d48b5e1c3c49e7d027505ea13b8d1
SHA512

6d1fa39560f4d7ca57905bc57d615acf96b1ef69ca2a4d7c0353278e8d4466298ed87f514463c49d671cb0e3b6a269a78636a10a1e463dba5c83fe067dc5df18
SSDEEP

3072:XqsEJybpRHuJKKBardRei4UGvI96/ZO6RAkeOCeP9sZy28se:XqsMyNRHuKikUi42KZO6PffmZy2d

Score

10^/10

vidar 877956da9963e0825aa43a159a358f24 credential_access defense_evasion discovery spyware stealer upx

Malware Config

Extracted

Family

vidar

Version

10.7

Botnet

877956da9963e0825aa43a159a358f24

https://steamcommunity.com/profiles/76561199751190313

https://t.me/pech0nk

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral2/memory/1976-9-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/1976-4-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/1976-7-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/1976-21-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral2/memory/1976-25-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	regedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 5 IoCs

pid	Process
952	monero-gui-install-win-x64-v0.18.3.4.exe
4712	_setup64.tmp
6116	monero-wallet-gui.exe
6672	monerod.exe
7004	monerod.exe

Loads dropped DLL 1 IoCs

pid	Process
6116	monero-wallet-gui.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3460 set thread context of 1976	3460	66bddfcb52736_vidar.exe	82
PID 5376 set thread context of 5548	5376	66bddfcb52736_vidar.exe	168
PID 6164 set thread context of 6204	6164	66bddfcb52736_vidar.exe	170

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/7876-4192-0x00000000757A0000-0x0000000075BE3000-memory.dmp	upx
behavioral2/memory/7876-4194-0x00000000756E0000-0x00000000756EC000-memory.dmp	upx
behavioral2/memory/7876-4193-0x00000000756F0000-0x000000007570F000-memory.dmp	upx
behavioral2/memory/7876-4195-0x00000000756C0000-0x00000000756D6000-memory.dmp	upx
behavioral2/memory/7876-4198-0x0000000075650000-0x000000007565D000-memory.dmp	upx
behavioral2/memory/7876-4197-0x0000000075660000-0x000000007566C000-memory.dmp	upx
behavioral2/memory/7876-4196-0x0000000075670000-0x000000007567C000-memory.dmp	upx
behavioral2/memory/7876-4199-0x0000000075620000-0x0000000075648000-memory.dmp	upx
behavioral2/memory/7876-4203-0x00000000757A0000-0x0000000075BE3000-memory.dmp	upx
behavioral2/memory/7876-4202-0x0000000075320000-0x000000007557C000-memory.dmp	upx
behavioral2/memory/7876-4200-0x0000000075580000-0x0000000075614000-memory.dmp	upx
behavioral2/memory/7876-4204-0x0000000075300000-0x0000000075315000-memory.dmp	upx
behavioral2/memory/7876-4206-0x00000000752D0000-0x00000000752F7000-memory.dmp	upx
behavioral2/memory/7876-4205-0x00000000756F0000-0x000000007570F000-memory.dmp	upx
behavioral2/memory/7876-4208-0x0000000074D50000-0x00000000752C8000-memory.dmp	upx
behavioral2/memory/7876-4207-0x00000000756E0000-0x00000000756EC000-memory.dmp	upx
behavioral2/memory/7876-4210-0x0000000074D20000-0x0000000074D4F000-memory.dmp	upx
behavioral2/memory/7876-4209-0x00000000756C0000-0x00000000756D6000-memory.dmp	upx
behavioral2/memory/7876-4211-0x0000000074D10000-0x0000000074D20000-memory.dmp	upx
behavioral2/memory/7876-4213-0x0000000074B90000-0x0000000074BC5000-memory.dmp	upx
behavioral2/memory/7876-4212-0x0000000075660000-0x000000007566C000-memory.dmp	upx
behavioral2/memory/7876-4215-0x0000000074B80000-0x0000000074B8A000-memory.dmp	upx
behavioral2/memory/7876-4214-0x0000000075650000-0x000000007565D000-memory.dmp	upx
behavioral2/memory/7876-4217-0x0000000074A60000-0x0000000074B74000-memory.dmp	upx
behavioral2/memory/7876-4216-0x0000000075620000-0x0000000075648000-memory.dmp	upx
behavioral2/memory/7876-4221-0x00000000749D0000-0x00000000749DB000-memory.dmp	upx
behavioral2/memory/7876-4252-0x00000000752D0000-0x00000000752F7000-memory.dmp	upx
behavioral2/memory/7876-4258-0x0000000074A60000-0x0000000074B74000-memory.dmp	upx
behavioral2/memory/7876-4257-0x0000000074B80000-0x0000000074B8A000-memory.dmp	upx
behavioral2/memory/7876-4256-0x0000000074B90000-0x0000000074BC5000-memory.dmp	upx
behavioral2/memory/7876-4255-0x0000000074D10000-0x0000000074D20000-memory.dmp	upx
behavioral2/memory/7876-4254-0x0000000074D20000-0x0000000074D4F000-memory.dmp	upx
behavioral2/memory/7876-4253-0x0000000074D50000-0x00000000752C8000-memory.dmp	upx
behavioral2/memory/7876-4251-0x0000000075300000-0x0000000075315000-memory.dmp	upx
behavioral2/memory/7876-4250-0x00000000757A0000-0x0000000075BE3000-memory.dmp	upx
behavioral2/memory/7876-4249-0x0000000075580000-0x0000000075614000-memory.dmp	upx
behavioral2/memory/7876-4248-0x0000000075620000-0x0000000075648000-memory.dmp	upx
behavioral2/memory/7876-4247-0x0000000075650000-0x000000007565D000-memory.dmp	upx
behavioral2/memory/7876-4246-0x0000000075660000-0x000000007566C000-memory.dmp	upx
behavioral2/memory/7876-4245-0x0000000075670000-0x000000007567C000-memory.dmp	upx
behavioral2/memory/7876-4244-0x00000000756C0000-0x00000000756D6000-memory.dmp	upx
behavioral2/memory/7876-4243-0x00000000756E0000-0x00000000756EC000-memory.dmp	upx
behavioral2/memory/7876-4242-0x00000000756F0000-0x000000007570F000-memory.dmp	upx
behavioral2/memory/7876-4241-0x0000000075320000-0x000000007557C000-memory.dmp	upx
behavioral2/memory/7876-4219-0x0000000075580000-0x0000000075614000-memory.dmp	upx
behavioral2/memory/6672-4319-0x00000000757A0000-0x0000000075BE3000-memory.dmp	upx
behavioral2/memory/6672-4320-0x00000000756E0000-0x00000000756EC000-memory.dmp	upx
behavioral2/memory/6672-4321-0x00000000756C0000-0x00000000756D6000-memory.dmp	upx
behavioral2/memory/6672-4322-0x0000000075670000-0x000000007567C000-memory.dmp	upx
behavioral2/memory/6672-4324-0x0000000075650000-0x000000007565D000-memory.dmp	upx
behavioral2/memory/6672-4323-0x0000000075660000-0x000000007566C000-memory.dmp	upx
behavioral2/memory/6672-4326-0x0000000075320000-0x000000007557C000-memory.dmp	upx
behavioral2/memory/6672-4327-0x00000000757A0000-0x0000000075BE3000-memory.dmp	upx
behavioral2/memory/6672-4329-0x00000000752D0000-0x00000000752F7000-memory.dmp	upx
behavioral2/memory/6672-4328-0x00000000756F0000-0x000000007570F000-memory.dmp	upx
behavioral2/memory/6672-4330-0x0000000074D50000-0x00000000752C8000-memory.dmp	upx
behavioral2/memory/6672-4331-0x00000000756C0000-0x00000000756D6000-memory.dmp	upx
behavioral2/memory/6672-4332-0x0000000074D10000-0x0000000074D20000-memory.dmp	upx
behavioral2/memory/6672-4333-0x0000000074B90000-0x0000000074BC5000-memory.dmp	upx
behavioral2/memory/6672-4335-0x0000000074B80000-0x0000000074B8A000-memory.dmp	upx
behavioral2/memory/6672-4334-0x0000000075650000-0x000000007565D000-memory.dmp	upx
behavioral2/memory/6672-4337-0x0000000074A60000-0x0000000074B74000-memory.dmp	upx
behavioral2/memory/6672-4336-0x0000000075620000-0x0000000075648000-memory.dmp	upx
behavioral2/memory/6672-4338-0x0000000075580000-0x0000000075614000-memory.dmp	upx

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-export.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-gen-ssl-cert.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-QGBD4.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-import.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-mark-spent-outputs.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-MNPBK.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-PA17M.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-H9BI5.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-usage.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\opengl32sw.dll	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-4V7TQ.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-NUH06.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-V5QHL.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-26GTL.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-wallet-gui.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-wallet-cli.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-gen-trusted-multisig.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-M433H.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-TMSDL.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-depth.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-stats.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-8LGO4.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-IH1QN.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-wallet-rpc.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-ancestry.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-prune-known-spent-data.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\unins000.dat	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-R30KU.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-6G95E.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-4NUQR.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-F2HMR.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-PA2TV.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-9JD6Q.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-B12GI.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-9QIOE.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\unins000.dat	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monerod.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-blockchain-prune.exe	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-VHBUK.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-CH4GQ.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File created	C:\Program Files\Monero GUI Wallet\is-RJJCO.tmp	monero-gui-install-win-x64-v0.18.3.4.tmp
File opened for modification	C:\Program Files\Monero GUI Wallet\monero-daemon.bat	monero-gui-install-win-x64-v0.18.3.4.tmp

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\monero-gui-install-win-x64-v0.18.3.4.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monero-gui-install-win-x64-v0.18.3.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66bddfcb52736_vidar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66bddfcb52736_vidar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66bddfcb52736_vidar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monero-gui-install-win-x64-v0.18.3.4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 39 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	regedit.exe

Delays execution with timeout.exe 10 IoCs

evasion

pid	Process
3480	timeout.exe
7324	timeout.exe
7040	timeout.exe
1216	timeout.exe
4692	timeout.exe
5972	timeout.exe
2912	timeout.exe
2212	timeout.exe
5744	timeout.exe
5600	timeout.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000\	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information	regedit.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 3cde0e7ad218db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F89144C9-D2A0-11EF-A4B7-CAF61997B0B0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{C76F3D37-264B-4D26-BB1E-306A835EA0CA}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E862D1AE-D2A0-11EF-A4B7-CAF61997B0B0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\ = "URL:Monero Payment Protocol"	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\URL Protocol	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\DefaultIcon\ = "C:\\Program Files\\Monero GUI Wallet\\monero-wallet-gui.exe,0"	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\URL Protocol	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\DefaultIcon\ = "C:\\Program Files\\Monero GUI Wallet\\monero-wallet-gui.exe,0"	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\shell\open	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\shell\open\command\ = "\"C:\\Program Files\\Monero GUI Wallet\\monero-wallet-gui.exe\" \"%1\""	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\shell\open\command	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\shell\open\command	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\shell\open	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\DefaultIcon	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\shell\open\command\ = "\"C:\\Program Files\\Monero GUI Wallet\\monero-wallet-gui.exe\" \"%1\""	monero-gui-install-win-x64-v0.18.3.4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\ = "URL:Monero Seed Node Protocol"	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\DefaultIcon	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\monero	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\monero\shell	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\moneroseed\shell	monero-gui-install-win-x64-v0.18.3.4.tmp
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\monero-gui-install-win-x64-v0.18.3.4.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 5 IoCs

ransomware

pid	Process
2196	NOTEPAD.EXE
6204	NOTEPAD.EXE
3756	NOTEPAD.EXE
5360	NOTEPAD.EXE
6556	NOTEPAD.EXE

Runs regedit.exe 1 IoCs

pid	Process
4240	regedit.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6116	monero-wallet-gui.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1976	RegAsm.exe
1976	RegAsm.exe
1976	RegAsm.exe
1976	RegAsm.exe
1976	RegAsm.exe
1976	RegAsm.exe
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
2196	msedge.exe
2196	msedge.exe
3344	msedge.exe
3344	msedge.exe
6116	monero-wallet-gui.exe
6116	monero-wallet-gui.exe
5548	RegAsm.exe
5548	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
836	OpenWith.exe
5440	OpenWith.exe
4836	OpenWith.exe
5936	OpenWith.exe
6116	monero-wallet-gui.exe
4240	regedit.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3244	firefox.exe
Token: SeDebugPrivilege	3244	firefox.exe
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp
Token: SeDebugPrivilege	3048	monero-gui-install-win-x64-v0.18.3.4.tmp

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
4948	iexplore.exe
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp
3048	monero-gui-install-win-x64-v0.18.3.4.tmp

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
3244	firefox.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
2900	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe
836	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 1976	3460	66bddfcb52736_vidar.exe	82
PID 3460 wrote to memory of 1976	3460	66bddfcb52736_vidar.exe	82
PID 3460 wrote to memory of 1976	3460	66bddfcb52736_vidar.exe	82
PID 3460 wrote to memory of 1976	3460	66bddfcb52736_vidar.exe	82
PID 3460 wrote to memory of 1976	3460	66bddfcb52736_vidar.exe	82
PID 3460 wrote to memory of 1976	3460	66bddfcb52736_vidar.exe	82
PID 3460 wrote to memory of 1976	3460	66bddfcb52736_vidar.exe	82
PID 3460 wrote to memory of 1976	3460	66bddfcb52736_vidar.exe	82
PID 3460 wrote to memory of 1976	3460	66bddfcb52736_vidar.exe	82
PID 3460 wrote to memory of 1976	3460	66bddfcb52736_vidar.exe	82
PID 2416 wrote to memory of 3244	2416	firefox.exe	86
PID 2416 wrote to memory of 3244	2416	firefox.exe	86
PID 2416 wrote to memory of 3244	2416	firefox.exe	86
PID 2416 wrote to memory of 3244	2416	firefox.exe	86
PID 2416 wrote to memory of 3244	2416	firefox.exe	86
PID 2416 wrote to memory of 3244	2416	firefox.exe	86
PID 2416 wrote to memory of 3244	2416	firefox.exe	86
PID 2416 wrote to memory of 3244	2416	firefox.exe	86
PID 2416 wrote to memory of 3244	2416	firefox.exe	86
PID 2416 wrote to memory of 3244	2416	firefox.exe	86
PID 2416 wrote to memory of 3244	2416	firefox.exe	86
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87
PID 3244 wrote to memory of 3092	3244	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\CAKKKJEHDBGI" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {827ff3c3-08ec-4fb7-a142-75a951713692} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" gpu
    3⤵
    PID:3092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea6fc0ab-e27e-48f9-89eb-5c283093f304} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" socket
    3⤵
    PID:2156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 1 -isForBrowser -prefsHandle 3092 -prefMapHandle 2948 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2050538-fa79-4ffe-a4dc-7c4b324f6180} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
    3⤵
    PID:436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2680 -childID 2 -isForBrowser -prefsHandle 3564 -prefMapHandle 3636 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c826d9be-27fe-4610-8a4a-98b11f31121d} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
    3⤵
    PID:3728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4928 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4956 -prefMapHandle 4952 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {567c99e1-c0fb-44b8-9da6-676ef0d885d5} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" utility
    3⤵
    - Checks processor information in registry
    PID:1728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 3 -isForBrowser -prefsHandle 5672 -prefMapHandle 5668 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1000dbc0-cb81-43c9-8c46-e03aa529867d} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
    3⤵
    PID:2232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5720 -childID 4 -isForBrowser -prefsHandle 5764 -prefMapHandle 5772 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1a29b7e-07cf-46d9-aadb-4fa1ce3990fd} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
    3⤵
    PID:4456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6020 -childID 5 -isForBrowser -prefsHandle 5940 -prefMapHandle 5948 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92b7547c-0cee-4dc8-8013-60933d5218d5} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
    3⤵
    PID:2724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6296 -childID 6 -isForBrowser -prefsHandle 6292 -prefMapHandle 6240 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bbd9747-4e40-4df1-86a4-fb3fbecb650b} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
    3⤵
    PID:980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6468 -parentBuildID 20240401114208 -prefsHandle 6472 -prefMapHandle 6240 -prefsLen 32574 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6995ad9-4dce-4a3c-924c-cd7d424ac374} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" rdd
    3⤵
    PID:2992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6580 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6424 -prefMapHandle 6448 -prefsLen 32574 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fd99b21-001d-490a-820b-6a3c5d3a8b6d} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" utility
    3⤵
    - Checks processor information in registry
    PID:4268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6736 -childID 7 -isForBrowser -prefsHandle 6744 -prefMapHandle 2364 -prefsLen 27265 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ab876ec-9fee-4b1e-850b-c4d0274e2c10} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
    3⤵
    PID:3028
- - C:\Users\Admin\Downloads\monero-gui-install-win-x64-v0.18.3.4.exe
    "C:\Users\Admin\Downloads\monero-gui-install-win-x64-v0.18.3.4.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:952
  - - C:\Users\Admin\AppData\Local\Temp\is-FACI6.tmp\monero-gui-install-win-x64-v0.18.3.4.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-FACI6.tmp\monero-gui-install-win-x64-v0.18.3.4.tmp" /SL5="$70284,99679275,832512,C:\Users\Admin\Downloads\monero-gui-install-win-x64-v0.18.3.4.exe"
      4⤵
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:3048
    - - C:\Users\Admin\AppData\Local\Temp\is-OEOF8.tmp\_isetup\_setup64.tmp
        
        helper 105 0x4A4
        5⤵
        Executes dropped EXE
        
        PID:4712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files\Monero GUI Wallet\ReadMe.htm
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of SendNotifyMessage
        
        PID:3344
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff96ab646f8,0x7ff96ab64708,0x7ff96ab64718
        6⤵
        
        PID:5696
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,6967033502805524494,9759174812847420195,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
        6⤵
        
        PID:5424
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,6967033502805524494,9759174812847420195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,6967033502805524494,9759174812847420195,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
        6⤵
        
        PID:1836
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6967033502805524494,9759174812847420195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        6⤵
        
        PID:5492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6967033502805524494,9759174812847420195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
        6⤵
        
        PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3608 -childID 8 -isForBrowser -prefsHandle 3656 -prefMapHandle 1604 -prefsLen 28171 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3a1568a-413e-4c4b-8623-de97ab436347} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
    3⤵
    PID:7976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 9 -isForBrowser -prefsHandle 6076 -prefMapHandle 6092 -prefsLen 28171 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8f47ead-5105-4e24-b31f-c604ce6f4d9a} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
    3⤵
    PID:6448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3860 -childID 10 -isForBrowser -prefsHandle 7340 -prefMapHandle 6064 -prefsLen 28171 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f5b462a-184c-43aa-961f-6ca09ac23fff} 3244 "\\.\pipe\gecko-crash-server-pipe.3244" tab
    3⤵
    PID:5276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5732

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:836
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:4948
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4948 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:5636
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4948 CREDAT:82948 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:6008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:5440
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\tmpaddon-1
  2⤵
  - Modifies Internet Explorer settings
  PID:5872

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4836
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:5688
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5688 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:5936
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\tmpaddon-1"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  PID:1104
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4892
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=04AD132D58DE57C24C5FBD32EAE72E80 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5956
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B9AFEB52943D6E6E1960BADA1FB21232 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B9AFEB52943D6E6E1960BADA1FB21232 --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:2052
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B890440570029D7298C74DE1D18AE0F6 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5660
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=792159C1B32DF5B383072C6EC40B9EBC --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5360
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=49A3455E6CAF93D1D2BAD2DD32412672 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5400

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1736877442.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3756

C:\Program Files\Monero GUI Wallet\monero-wallet-gui.exe
"C:\Program Files\Monero GUI Wallet\monero-wallet-gui.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:6116
- C:\Program Files\Monero GUI Wallet\monerod.exe
  "C:\Program Files\Monero GUI Wallet\monerod.exe" --enable-dns-blocklist --out-peers 16 --no-igd --bootstrap-daemon-address auto --no-sync --check-updates disabled --non-interactive --max-concurrency 4
  2⤵
  - Executes dropped EXE
  PID:6672
- C:\Program Files\Monero GUI Wallet\monerod.exe
  "C:\Program Files\Monero GUI Wallet\monerod.exe" sync_info
  2⤵
  - Executes dropped EXE
  PID:7004
- C:\Program Files\Monero GUI Wallet\monerod.exe
  "C:\Program Files\Monero GUI Wallet\monerod.exe" exit
  2⤵
  PID:2072
- C:\Program Files\Monero GUI Wallet\monerod.exe
  "C:\Program Files\Monero GUI Wallet\monerod.exe" sync_info
  2⤵
  PID:6504
- C:\Program Files\Monero GUI Wallet\monerod.exe
  "C:\Program Files\Monero GUI Wallet\monerod.exe" exit
  2⤵
  PID:7260

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:4240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:7832

C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\HCFBKKEBKEBG" & exit
    3⤵
    PID:6548
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:5972

C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\CFCGIIEHIEGD" & exit
    3⤵
    PID:5920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2912

C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe"
1⤵
PID:6524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:6592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\BGDAKEHIIDGD" & exit
    3⤵
    PID:5064
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2212

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:6608
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:1416
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  PID:4068
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  PID:6008

C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe"
1⤵
PID:8016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\FBGCAAAAFBKE" & exit
    3⤵
    PID:7720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:3480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4328
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Monero\wallets\Admin\Admin.keys
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5360

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Monero\wallets\Admin\Admin.keys
1⤵
- Opens file in notepad (likely ransom note)
PID:6556

C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe"
1⤵
PID:6952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:6776
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\HIIIECAAKECF" & exit
    3⤵
    PID:6596
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:5744

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Monero\wallets\Admin\Admin.keys
1⤵
- Opens file in notepad (likely ransom note)
PID:2196

C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe"
1⤵
PID:4624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:6308
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\IIEBKJECFCFB" & exit
    3⤵
    PID:6044
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:5600

C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe"
1⤵
PID:7424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:7368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:8068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:6420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\ECGDHIDAAFHI" & exit
    3⤵
    PID:5028
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:7324

C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe"
1⤵
PID:7832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:6036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\JDAEHJJECAEG" & exit
    3⤵
    PID:7636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:7040

C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe
"C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe"
1⤵
PID:5464
- C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe
  "C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe"
  2⤵
  PID:7876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3208

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\LICENSE.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:6204

C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe
"C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe"
1⤵
PID:5024
- C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe
  "C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe"
  2⤵
  PID:6672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:6888

C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe
"C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe"
1⤵
PID:3936
- C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe
  "C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe"
  2⤵
  PID:6884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:6656

C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe
"C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe"
1⤵
PID:5580
- C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe
  "C:\Users\Admin\Downloads\fakenet3.3\fakenet3.3\fakenet.exe"
  2⤵
  PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:936

C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe
"C:\Users\Admin\AppData\Local\Temp\66bddfcb52736_vidar.exe"
1⤵
PID:5532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:7364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:6060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & rd /s /q "C:\ProgramData\FCFIJEBFCGDA" & exit
    3⤵
    PID:1088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Monero GUI Wallet\ReadMe.htm

Filesize
8KB

MD5
960b1d19967d1c006e57392c722a8da3

SHA1
4acb31152ff6ff71f8ccb3972e68e29a17610432

SHA256
e95846594909d9d8e78ba3b5cf2fa8554320f74e4a6682d677a7df0f666d964e

SHA512
5fbac8ee3b742ced8230ec7095237eba55d94fa9f07d83c168189c8ba1c50f7babe64cb2038a70cd3a70346f8f1806db2c272b450a6cb9be23515195a5f3f9a8

Download Submit
C:\Program Files\Monero GUI Wallet\monero-blockchain-import.exe

Filesize
17.2MB

MD5
750c295eb2881774764866dcad9f203d

SHA1
5a074716eec433ff9279b20f306de84c1fc71870

SHA256
6cad362c47ad393a142d36972f96e15b504e0684a85f900f388bd16dd19c48e6

SHA512
9377ac9999f37dd6f939b851cb41346a6954526b2fcc3271dd47592a819acd0f25dfb326b2d951fa5b5e3b44f175d51f2e6b72df1539d88e31d5d5bcc6bdd98b

Download Submit
C:\Program Files\Monero GUI Wallet\monerod.exe

Filesize
30.2MB

MD5
e09fc60dded1d4c9e46229520536ae67

SHA1
e14846f2152791d1662174509b2280d0f96311be

SHA256
64edd8bbf32d69097783acd00db522220e3f06b2ea153b01fbfbce5f6aa4b147

SHA512
8364fd5373b3c936675f6cb4fb87918dabc98912e997530ab110d582181ff2c2385ec0406ac264d380551f65eec465de51ac87ccf2d3c93f83a46a328757c671

Download Submit
C:\Program Files\Monero GUI Wallet\opengl32sw.DLL

Filesize
20.0MB

MD5
7dbc97bfee0c7ac89da8d0c770c977b6

SHA1
a064c8d8967aaa4ada29bd9fefbe40405360412c

SHA256
963641a718f9cae2705d5299eae9b7444e84e72ab3bef96a691510dd05fa1da4

SHA512
286997501e1f5ce236c041dcb1a225b4e01c0f7c523c18e9835507a15c0ac53c4d50f74f94822125a7851fe2cb2fb72f84311a2259a5a50dce6f56ba05d1d7e8

Download Submit
C:\ProgramData\.shared-ringdb\data.mdb

Filesize
12KB

MD5
9dce56833647e292ef9d8ef200d0ec79

SHA1
27f67b46291d9fe5d4980987745249c19aa09dff

SHA256
cc136d66038535f9c9ca2c0c050eaae960adb4b93108798b325b8fa011d8569d

SHA512
bb6b225715d0f138b62b33aa7282d9fa45dc76843710f74af1e61757fadda3983860980c38be27861f9db0fe6aa65a496f47ccab3f7aeec99332051ef9209c8f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monero GUI Wallet\GUI Wallet Guide.lnk

Filesize
1KB

MD5
e7588a0eb9fa94d3c20f3928593027d1

SHA1
49638e74e47b573cdcc69189a6ca23866abd920d

SHA256
d666449804ba5adec4962f56361e209ad9124701af6287836cebbf58c13c3318

SHA512
39dc4057e6c22bc6d2322fa9dc4c275b41455f8b0dcb2e50c424b6c60a5267eb764affa80ab0886f91a2e28d03b67b704e0633d9a4a3fcbce197b9b2389d6353

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monero GUI Wallet\GUI Wallet.lnk

Filesize
986B

MD5
0b784b1198aa7d336c62d6f2b96f9afd

SHA1
0468bd1bd940d9dfbb4bb86b6b84c712fea9d5d2

SHA256
a84fa4440f5ab3af08a20152eda86e85813705c34c9da557593a4cb8ba8aac66

SHA512
515d5cbf40605f0e1cba78f3d0e8cdd17eafc3ed87f319da22888720f288b5c445753083104eb1dfa672840f30331f661bf199c6ad6f783f35f6228c7184695c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monero GUI Wallet\Uninstall GUI Wallet.lnk

Filesize
1KB

MD5
58121babbed96b1a0548ec0416c3d48a

SHA1
8fe9fd8cf082ec9382e5b70bdebe0fcbe080d49b

SHA256
a49d1e8ebc1c508fb37b0f85b31610a4f004e103a0e09f3a8b35aab79cdfca98

SHA512
589babd76c36fde9d84c9b4762f0b1fed400884ece28a45d5e66c2ce025de06653267ef3e16bba5a2772b8b0b94150cf5141c934089c7a6a178de12a8229ba6a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monero GUI Wallet\Utilities\Monero Daemon.lnk

Filesize
940B

MD5
d8cc774122f20544f81629282259c32b

SHA1
ceddeeecc7b5caba1a4b3314bad1450ed4924e34

SHA256
26404ffddb5b12eda7cd6b9014724e20d7dfd9881b0d1f02d9e6a216150acead

SHA512
d855d076da7f6de1ecb31dee731021d36f222ee357ccc5e0685519c3c6bfff6d15d00ec2f03204566dacd0efb4e5ae8803e7e75cbedb516ab18f15d09f999329

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monero GUI Wallet\Utilities\Read Me.lnk

Filesize
935B

MD5
4e2107033fb91f289d0d6991edab0624

SHA1
911a1dac04ed02720e98c38ae20316d890f4df0c

SHA256
1b8c1e25af125041c21fdfecbb31bd885d4f503ab13a85b39a2df7064cf9a128

SHA512
73fd2925bccd3fe7071829d889b04d83cf60d2b3d5bef31f9573afbf49a704297e9f895a8dcebc0d2ec6b6c35a5a43e23de137b1d7aa8fde3a7c0f6e98833e98

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monero GUI Wallet\Utilities\Textual (CLI) Wallet.lnk

Filesize
1002B

MD5
a30957eaa8436b49b11bb22e97cf5378

SHA1
b2f97540c928cd8eb4aab141a4f6213d7025f52c

SHA256
f5d5df26d209b61b68fbea18bf0be51315918d18c44f2c576ec1ae729e3c8c6e

SHA512
e520af6c5d46e3bc703c39a11b42e258747e14090bb05834ee7588ddfb544bd4be93d55c57bbff6c15b5d4dedc12e4e2c7a0cbd70362e65656d6741fbbdda5df

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monero GUI Wallet\Utilities\x (Check Daemon Log).lnk

Filesize
814B

MD5
49da98d76e78788631856b6a5c2037b5

SHA1
6d9e484d872969d9ea343f752387426eb2919dce

SHA256
5c3acba0f6c6e566641cddf4cfcbd59b4ba8b3b66e94ccf3dd644597cc8be7f5

SHA512
3d2ad5f1317c88ede4eeb930d3dcbd11c3aa041125dec8b21b1433b3aadb28019321ff8ae5f99fd6e511e8c6c59a247b4d845a6bdf805fc840ebb23509de4d55

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monero GUI Wallet\Utilities\x (Check Default Blockchain Folder).lnk

Filesize
896B

MD5
bf9d044cd58a5fa1c18f407a4b276461

SHA1
6a4d8317641e8d50ffd3cb7d82440f2e947b3fa6

SHA256
e4b1e680d4ec28e41ecb0d30983de036f0acfd53c38179160ad929035591ea36

SHA512
c0a52ed75c18cc19eb64a55e0aeb54b3df2870a0895dd6edf5eeba8e9e0c0196df843e5f4c23b523081129827ae414579931828df7541eda1a40a06470f29c5a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monero GUI Wallet\Utilities\x (Check Default Wallet Folder).lnk

Filesize
930B

MD5
8a2ba3ad9437ad23f9a2ee9e3bfb3037

SHA1
f5d1d7ebde05a6d839ad36e608ebff4b4f216b58

SHA256
733a89f6f9f7b22126fc4743cc8ee524874ff9fd1a03dea60aa9938e4db6759e

SHA512
963a32e552d41f97b1daa55056d1748b726783ac8c04ad8bdc419d67b745624b4d908f36c388913fe36a6180d9a0aca340686e24ca233319a6474c3cefdab887

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monero GUI Wallet\Utilities\x (Check GUI Wallet Log).lnk

Filesize
882B

MD5
945462a1e758bba912cb54f3363e15fe

SHA1
83b4216f7d0a6b84cab0612b123b19d7e59a3844

SHA256
152d6845d70ed313e4af29b57ecbbfa14456c8c6943a342d32302a72efd28546

SHA512
a94af01fd23e91e78f1ac8304d173a2468159f7529b9eb6a65219cd25f7483f5335c342c4f0757d49a8316631e238bb65ebe56095b0f4f96dc78b21697d8b494

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monero GUI Wallet\Utilities\x (Try Daemon, Exit Confirm).lnk

Filesize
972B

MD5
a8a045268cf5af639686456fdb673911

SHA1
032092d9bc4b2a1dd04aa852ccb22f6eb15b40c7

SHA256
4a3188cefdc9db2e716c5d2d68f4fe7fc97af9380339795bd81385296652688c

SHA512
05c7e1465462153e5a753442b4a58e20aec10f285dcddd67f8eb42ed2d5e93930fd053fe5cb6a2477ffbfa56afce388ed1d3852e0ad820470429f9bf6a2abce3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monero GUI Wallet\Utilities\x (Try GUI Wallet Low Graphics Mode).lnk

Filesize
1022B

MD5
fccacc8213dc460034f8f5daf5ac3828

SHA1
e16e2d6733c525e0463a3afde6f072b31fe913c5

SHA256
1448035bb6f7f7263303cbe94f20024608d675a93be7179287672eec757eda20

SHA512
8244f6da92fdbdef90853feb7c6f139003d1c3a65276963e92c136ca3beb71867da580ba0fb8d93e917c45767069a3696c0f972bcfb517713568f8f384f64ea5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Monero GUI Wallet\Utilities\x (Try Kill Daemon).lnk

Filesize
786B

MD5
36bcaf17dd66a906d1b2043d9e6876ea

SHA1
7b227c7b80b8507a34da62779bb57d2c9e75c8e6

SHA256
7b973b99a2a383be545d1ab764d7ec5157916253ba4f09b9030fc0ca43c1cb72

SHA512
31f942c51a38506a35d573195b61f5d9febe075d010bb4821a51e01e54c5e7a3164b1e90420e1a677e14d36699b4410f5fbd869ea3e8cde5ec52d8f0da300640

Download Submit
C:\ProgramData\bitmonero\bitmonero.log

Filesize
1KB

MD5
214e8aa86ea0c4562d6b0ee2361fd3a6

SHA1
9d046165947b1433f1160da8aa9315f0286819d6

SHA256
ef43b997f56a618acee3cf5be95fdd802eabef847892f071b40baea34a387573

SHA512
375d6787185a717715227d2af67d75af81810f8a6fa92ca60b00ee6491bc75f22785b2fdc8637babb5f11545d00db1322c31966a9dcee5833f94283e6339c2ba

Download Submit
C:\ProgramData\bitmonero\bitmonero.log

Filesize
33KB

MD5
2d4643748ff35b90448fa939277144fd

SHA1
cb7a5df269caada693693e3d7fc1fc53b52df9a7

SHA256
a2e5b136e54802da0663f1b96052ea02eda3f276dcd9778f236e15b981fd9de6

SHA512
866ae69f891cc9328d57abe2a3072ec696541e54515d18dc9f13009e6463f5a13b1bb23baad1ca7d345b22cd1e623b792ea7b64569bf95e70ac39abbc5ee7b20

Download Submit
C:\ProgramData\bitmonero\bitmonero.log

Filesize
34KB

MD5
f2b1088d5f71dcfb007e40884b2551a8

SHA1
526f29d9c20dca5f66fd06526bbed6dd099516b0

SHA256
4ab6fa19e03ca7b967b7d73961532094c562a8a04cfb537b194c215dbb73917e

SHA512
b1960491573329f8dd6c7f8701af84aed227359040f872705a213669f4c0714e8616064fca940f509522a052ebb6676cfec01f7de9aa011d8443d6a9a78ac8de

Download Submit
C:\ProgramData\bitmonero\bitmonero.log

Filesize
35KB

MD5
353cac2ebdd8e772e410b6f60e5ef2f1

SHA1
f0819cfc5333ee7ead99378f406723814d556bfa

SHA256
d210fed448d363515ec87b22e64862822474ae7fa7849c915a907ae2d5ed6ce6

SHA512
6643ada0728096e24451498382391e293b8c0345a388303a34deb908b816b14b215a56d88bc57fc91f84ca6cc003f745a35e314c3f68ebd50c68e3787f7f6be1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
2KB

MD5
7f59fc831193a41e919c2f0ade38c3cc

SHA1
addce30f4e5775269185f7ce054be91bca5f1b8f

SHA256
2973459a9493cfeb8907775f0e3be2cc800ebe85f420d0ec0c8cf4b49662902f

SHA512
677f98cf3fa25ff4ae82cfae761f4dd982d344b7136bb4f72d43a3d269c24b1d70c387488dd24205059f91f1f569402db5a4323b533577da8aec0318bdaef09e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E3D1101CFA1A79AF305FD7C55E37649_A8EAC700FEE71EDD327E06BEAA0C7F96

Filesize
2KB

MD5
6650ec8cdcdf2a51fca5e6ca0e2d27fa

SHA1
2fdec87fb17183eea71bde63f6558cc007abae1a

SHA256
0b8451cf0d4ad57be7e316db3d41f9327fb57b8b6429f83ca7b9cc5a888b1aec

SHA512
f921de547eaf08793f294ab81b32ab65195e709c313f3cd2685cd30c0d8f5f2bd43d7a75e250e94b3c063248b4c510b17f6141d34711604f2452558c76162896

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
a25d5a65ff234c837a51279f89d8549d

SHA1
0965c32dbfed3bc91d10da67aae8a25f7a5d14dc

SHA256
7c5596997c9faf94b7b816bc7554d7b711bc95928f24353668dac34ce9eb7d11

SHA512
4af37c439e9591b6ef5ca9f224d4704cf6563722748b9fdcd5613d6bcd935261528e6499cd98ae95bc11934affa2f09fdb75072ab4f791f9b5e6ccb4ba2b08e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
d6357ba0559ad7eb29d8941ff6746840

SHA1
62cb08d3f20f72c70698907dc18f029750a81cc0

SHA256
b0c224460fe3e007f9e093e5384659d519beb96fa90eabd0264eb8468e13fdf1

SHA512
3d684e8e28ac72d0508149d98084b01c713edb9ccc016f6880e791194b558edc811e72680e7f03a92866c29ccd932d9923af89d4acde7fbc402ee2c1fae39f3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
435a1867686496848cfd3946fdfd3edc

SHA1
549e9278c41cc5f4c61012f315014485fb6241d2

SHA256
35a87cc543a211cd83a758618b118bdd1559623db0913cf2294fd33e309bcaf6

SHA512
94ba150d5b6655d88023dfa060952dd94a787a438e40754fffa3b1ad9bbf1f2d7ae367aadc3df8db00ca80e1ba8c832c8713155b458604f42e503cf5bf9ab934

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E3D1101CFA1A79AF305FD7C55E37649_A8EAC700FEE71EDD327E06BEAA0C7F96

Filesize
474B

MD5
84fc68f58b0785e7c81f1968ffcd65be

SHA1
38eb3fe9123aedd008ce4a761a5abdecd08dc2fd

SHA256
3a54b41e9868efa4a0ddf8aaed2b1f989abaa51d4abaf1c41acc214342661ade

SHA512
ac2c2a77ab2b4ee03b0123290dc0665162c4ee4cf24bec29158cedd1cc2366341962a10c1b6bf239518a0c6fed6aeb994051df0f77139e40b2c709e80fb172d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
6e56ca71510d3d78c8e46c9bdd57a32a

SHA1
96fcf7697a7f31b0e39c5947f7da64d6a9c3bfa2

SHA256
bbc832678d7ca845c5269df8d7a5aa5bc35d3b870a0653c1678a3b40dd4a2a03

SHA512
50e1aad8454a0064df8db5ecc3248b8a2f6e7e2dcd35267250d3b3c14be1ded37a918cf4f486fe21afcc07459bd454d09b6dd8b61a492a1042e0f3410c1f956b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
438ef3e12be93b1c237446c6a97dbdd3

SHA1
a7161840c86489d1954bd6fe1026295e211f781e

SHA256
4f36f278483add9fc562c051784ceb9f2c808b58109858509b3736d3ee3c20ca

SHA512
0e5317bf4d3d7dda66b3a7a9356432933b70bbd80650207d7df2846d9ffbc1d762b81e0f6ab5824f01acaebcdf74bb278e7b4f75d91538bae45c6492ef8e2af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\66bddfcb52736_vidar.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1b20f2f7208f5ad7c1655edb267ec9a6

SHA1
84e0534a2e481869bb39492694814f17de8d501e

SHA256
c87998b6335b741c27bd0e36a2453f2b509289b425c39c24004b6790a812cd0e

SHA512
9ee6ee800e9f55b1db230e1da1238223b93f9bf8af1338fa11254fed8eceee26dd9c80ac5eee7232e9e95bffe542f04b02c14472f6a294eaf9706649a58e7b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
63fff22ef99b8063dfe8f5cd25b774ae

SHA1
02ae4a6d9b3a71c63d528d69d4af7fe2bcc0a343

SHA256
176b7450ff3689bad91921f2fee8659169a2c2f1630a1e19ced2e8d70d99a360

SHA512
933e3826782a1230ebf8e291e5ba52ec0bc489ad52fefac307fa24476b3c2316523cd53365082b7827cdde7222291e98f8c3c7b73c4c670ac6f0cd6c06e51eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
aa8f1cba6a1f85615889d327a28c9cd8

SHA1
ba5e71402fda13de15310c082e4a72bf4690f1dd

SHA256
6634a7ba5390aee50702863dc5843d0155642760fde931a2e50865fce369fd9d

SHA512
284ef26871a306cf9ccc18d87ec818152dcb2557f91deac8d0467a185f8d1d6ad2b440bf7c7948000098c60c40bb5bb4ce3a307a91bf45ea08ea55f50c5d01ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPUS7TYC\76561199751190313[1].htm

Filesize
34KB

MD5
a09bd0a9b25fae341c6439dc74903a97

SHA1
6c3d801b752cd4dbe7787255dfc3d91a6b805b75

SHA256
1bb45ce7a462adccd0f239d0a4f85293d24f632e64fe569088181499b3e386d8

SHA512
62c01b6bbff1e5da7374fc6fc75be51f75a26723f65d7dc5a164591cd0fdef15f2cd1d5a38655d7e53efcb9a7ed07cd1b28e93d5fcb27f852ca28696387fc2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPUS7TYC\76561199751190313[1].htm

Filesize
34KB

MD5
e30d95ce813fafd95d778829aa808983

SHA1
cf80b578c0fae7d52fc4e8e93e1a80f59cbd4dc1

SHA256
da02aeda86f8baee064bddafe3c0fd0dd1816bec1fb53c6b9cf5c10ee4f7d9ba

SHA512
437c2fb2ec17aeea722b746e031e40bdf880dacc6bb45a3f9c6d6fdea5ab4fd93bc6607a4792f646a7d4553e948fc9aac7bc506cb4f11b233c751f2eb176ab81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPUS7TYC\76561199751190313[1].htm

Filesize
34KB

MD5
e8c3a394b2ca1a2b77126aa86367a1eb

SHA1
eefd6de94961de1822c1743ab95102aa5652fb84

SHA256
b466e8ebb1065db188f24fdbb90b14058e43157fc5177962438ed0a8031ad842

SHA512
759e762e143e7854b00d7f2bd81f5f693126328c0818018f1159c7aa71f0c84248230b98926ef49043b121dc80164844376196205a68d37d72a7c56e572cfa9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPUS7TYC\76561199751190313[1].htm

Filesize
34KB

MD5
432459a921e97aa9fb5221ca96977d5e

SHA1
cea8f500d57b309805ea40b96a796e6e22d4e8ef

SHA256
715efaacd3a55ec656abfd6e7f9b2380eeb2b82843ff45b6fde509ad6295e1b9

SHA512
f4567687bfbfdf9c7910d99458836226dd7570a9bf3e8dd649156497452e9521175d51f9814f422b187e584cb42bc4c5913328e5c80c6b3cae5a8bbf6f1b8523

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\76561199751190313[1].htm

Filesize
34KB

MD5
e3d15262e0324112652a8eabb8dc646c

SHA1
c6b096c254436e0c9ebaf40853c99c47fe870f9d

SHA256
d7a9d733a28f5337439576b65db29e577babe9bc1ee83831c516c6ddb4e7bb8e

SHA512
1cb67139debf45bc0af76c33d2364fbef12aede6ca727cfa0c5725864d61ec2dd394d6fd333b206cade597ca66b92cd75eb0323970144bdd48e18fa412023d39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\76561199751190313[1].htm

Filesize
34KB

MD5
cab672c726aab60b87432e1a027f9478

SHA1
785c87678f62c952df076987c43eb0606e2ffa9a

SHA256
ad2d604e7a99698af511236d4d651667a32128547e104c6797e2e8a2a5b72087

SHA512
e8e26d69527e1a6eb24c007c7614b069138a10cae5d2f49286047574e42ac74e7b4ef916fc5d2e8608663219c6fa23dd18a88090a9184919fb3eb0524d9f7acd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\76561199751190313[1].htm

Filesize
34KB

MD5
10587b0ad5c660d308f59fffe82ba49a

SHA1
7689ce6f1e421a29c419e1999cfb4413db4f6998

SHA256
5019fca4f93f41b040a951e4df84e80fe05a84363578b6d07fc5a567d420af6e

SHA512
215ecd3fc25c2d2139b8de2e6681f60983f9b758ed149b0e716ac56f031c8dd6def4e88564bcdadb5bbf4948fbac31925549b85700890caf1912070d8b9d7e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\76561199751190313[1].htm

Filesize
34KB

MD5
d36cea84306b4fb1a80e408d8cbe853d

SHA1
dfc377a6504dd91112c5af3651c5d32725a94a4c

SHA256
a465f4293240cbf1b5997ce2c85f1ce5ed2b9ce49250cfa064c1d435a7ff49d6

SHA512
841636a0748286372f5da4ea18fb2e4ed60efdc0a8726d2eefcc7083d8ed275b390e19e5dbca0f659a5e99730cd54ac5324ea0bc790171cb9f34f0e7393d337c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
5ab5c55fb5000d5ca3c41daf6598909f

SHA1
49e4a6c5fb0f373462287a9d7cf7a31adbb4d4bb

SHA256
33d5c119a7b835fa31680d4a36f5469543523ccc2157488bce73711054ad36a5

SHA512
20fee59c5b8eb51e6f11b2c04afd4967a1c82fca48af7190fad7f6ab9e4c9c0983a3346580c90978292365388f9f3891cce3e0e9a66fbc716ab0ac3db2089307

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OEOF8.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFF47DC0B79AD1D647.TMP

Filesize
16KB

MD5
e61712f01a66a06453f888ac7088db67

SHA1
1a835d1cf92578e7d2d157e8671012234e620449

SHA256
bb8b808dcec16f86992e6d7268120ce9f9ad409a5e2d02ed14bee2adce042fee

SHA512
5bf78965f2a9a18357916d7ac7084037f3abfc831ec0ead1e746ea0dcebc04377827f2a266852e64916cd042763002b14ced3db8ac23a337b47dbf88234e4ae2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
7KB

MD5
02f64fe6f5ab16423487b59949e33e27

SHA1
bece31b03f50741071912ca0c0a82fbf6224fcc7

SHA256
ce1f77ac13764b41e2328f97ff61bcbe43a01cd95e2df21fd1a07350125e35e2

SHA512
7c745844a7938ad75fdda6f40daa45b78fa8371c3994c7b6a012bef03965a682dd04178303319b4263a1f3ce277ed73c4b33ede1c06731f416359d3339a923f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
15KB

MD5
e61f82cde9ee435267b6a5c221e46877

SHA1
e87334ad96992861c5937bc7ce48a415116071f8

SHA256
d4f030590ddeef8141a49fac2201b594e1be9a568f26d6a371af2b2c4a2e4d14

SHA512
d51dae9bf9e7c46a9d54098b29ced2349918b585e03c782a5953b6a72184220b0afd655075e357d8063dd632f11ac974811167832a81ff0382535a48360f36b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MH1WNJW8JGM37QYBXL3E.temp

Filesize
15KB

MD5
6ca7998dc3fc2b35a8ed0c3a15524748

SHA1
3a1439bb7f9b2fc31dde0aa41f22ae012d8eca06

SHA256
c156d85c5e24b9fa473cb0a6cb2ec416c7ea83ebb660b1f8e7d15aba00c1bdca

SHA512
3c5fb1f37fd40f8a5f4b35afdf5cdc2e4e9462f185c34c3d3ddf1555c46ef5ec52f25e07441797c450ccfbd450ac8a8f39eeb9d1136b1a142dec23d06d015b51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin

Filesize
6KB

MD5
60cd13681a453f30013d3d92a52cac7b

SHA1
347de6d2d91c3254b397bb550ea2920771189d22

SHA256
16f6bd08752cfa16bfd0939431af0f5ec1deab6fc5713246dd2143d8a57b19a0

SHA512
53fe90694ea8c96d870b2274748f0b452fc4e77032b1dffda1fa27e863d75c3858cbe7351910b42ec4b29e0895a4a6c5da52d29df47ee4a7fc019554e1a94324

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin

Filesize
10KB

MD5
5bf08ab1aa717a0bc1e673178fd5d1b4

SHA1
7e2c1ff291ece79ad5959960a520cc96c6996789

SHA256
c24803eaf4bb93c9fb7004a72b05933a71c9fd2bd43a73c633236718cb1cc301

SHA512
d7729f0712887b6077643249f92c9191f14ea5c289883fc2f9baa95cf3ba83c91f8c2008a96a8611298c12eab104d0365e6e5bdf620b6dffa906a66ef2225112

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
4a89b07b27f092b17b764d7f3f0aa5d9

SHA1
bbfd777a6c401cee7ab61d4e0d8931a009b86940

SHA256
69ae810e673ef0999a4ed69faa146f8600d27a8342af08f63a656d9378064758

SHA512
4ec5acc3c4954dbbfca3f47c79a52f050975f564324be58e82408ecb39cbed8157009ae0db4c90a11ee84b82501fbf45f5653d3e8d43b593809a9bc5d98667d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
39KB

MD5
3c3f971ea40388c3a294664f15570e6c

SHA1
495c4203d707e73abdf8b8827ed20a6d9f12cdee

SHA256
5408ec47704a264573362ea241560eb3505a936dae4745847f5bc9686a75b9c8

SHA512
04bcd0a2ee746fd484cdb3e186d65def49b30f617ce2d9aad9c5a972b03366f20390717ecd09c6db1cbc979ae8ec002c83e41e8bfe011368ab5b3bcf018d4962

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
858a063f9fc1cfbe09844a89b09f4da9

SHA1
e45b108d10d8082205c391f0531f69bc4918c77d

SHA256
fda0ffd4170abfac5943c2e7c53d7c007efcb12c10d1bd678d568745f269abb9

SHA512
528f9a20b27a83a3561f1a391a7f285faeb4ae3f9cc8817120c4f26b5c56295180235b1a60d509f26467148d04e314c9d48570e01d1af74932bdfca1210cdb7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\b30f78c1-d7d1-437b-9df9-c2ccbb448e12

Filesize
982B

MD5
9db017b684d63ee6b8dacd6797391bbb

SHA1
b1e7158b76784c4ab11f11868fca0cdeaea5b25d

SHA256
bf0b0055d6dd72e0868a325ee8df90f1a5295b0f4f15a8b8d40008e7b36ff7ef

SHA512
0e3a8a99498721b1086e2eae8c1bffdcaf638b3df12fc9c6ee260a19c7d05b93a6620ede299a0478152f98f32dc626e59dcc1f01bef3999d7afa5ede4dd96a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\cfcb0fbb-704a-4111-93bb-245d0dd7090b

Filesize
24KB

MD5
3c3e974c9bf0c516fd8d22c821bf79b7

SHA1
2eb6e685ddc16daff4d79d35eabbfab3c191dc7b

SHA256
e6046492c5fc6229d943d4b965c95c3b1459df24e81436f91915dcd34bb489e6

SHA512
8927077ab0f6c7dfd79d3f068e8ba69cd989c6f18ebb52570e3c33243feb0d7e58e84b83aa7752f8d7af0140d592c903d2b7f4637c0b5555a91d29f90c9c1627

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\e2a79fd2-f443-42f8-b9c2-042ea43780e1

Filesize
671B

MD5
15f6eb3c65e50fdc9e87e8f0b7af71a1

SHA1
f260135938cf37c005a2027ba9fec34d36fdbd5f

SHA256
458862fabc50b8a09436e4f0cb2afdbd66513509d9e8ffd1ed2178ba90dc8b8f

SHA512
c3c7641f96bbda3ea8e4dfb63e55b53278ea6c710d94cb288a3d0a4a687923a984828147f53d68190098f94860faeec56e0dc636aac9009a779ec5e17dc3be11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js

Filesize
10KB

MD5
5820f9d7ea911d86646499e638fd8e2c

SHA1
e092c54f2e4b97f0150dafc4fce54260b8762f5f

SHA256
e1479648aa08ba8fb6235da6f19a116858cef1a8a3ab3674ccd470e0ae5c5ec3

SHA512
416dd273970581d54000be20574b247c87b7966afb832f4788daae1f17f8ac5f31602ac2aa2287a3cb30f6a148e43f31a2c9ab108799ffab7b7a3a94716f245e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js

Filesize
9KB

MD5
4cc37b54d2ffddf2cef2aecaae0a3d46

SHA1
bbce452c4c30159e9a9de83e8e32dab0b170d985

SHA256
4238e520acc0bca1edc8a04329415d1b23395ad7f124666c96b1b3ef712777ed

SHA512
217556671dee7235072a11ad4cc8e588c0b1cb4be9bfba105b47c23083008e51608b5baf88da60e083025fe0ccc38ce6ac339f59b0b9b9e529c66871ac7b782c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js

Filesize
11KB

MD5
c99b7ab01f7d3e3fa532a3421b1cd250

SHA1
1c17149e471cb1f807ce32ba629cda1c104a8204

SHA256
e54dc6c0bd7c3ccdab2e849a174ca65c48abccb1640351b0c061c400c6b07398

SHA512
0b943a907f71dab8f4e25fa7b2b00343f0928f7aad55aee6bd49c8d65052cb95e5ecc4af4d3ebb19a6b7603d99294aa1a3c556807c68567d4a25e33208c89b29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js

Filesize
10KB

MD5
3661b7340f4bc86a4de450218a09feee

SHA1
870a74cc33a7822f2ae24d5a5a449a14b18a770a

SHA256
d5522467d83ab8af12e5d6488959eb31912fedf906ef9cd4977d16775674f2ff

SHA512
07ef03a72698ddff312418a2ec9bef959d73b3dd21660a80d3e6e6553a058a0d4ed9bbb0c78410259ac1c617b2c1cd9a81d22454fcbb9a4dec6373dfca5a3b21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
b20eba9a90175f7ca5fdfbdd6d102398

SHA1
65c91ebbe3f23c61fb21a66594e085d39b958f01

SHA256
c22655bb38850e9ac9a66822ea142517f7d55f9927bc806690dcf17288b79071

SHA512
5c0e85f5abb97f9d56ba63f83cac168f42201d32e245a463b2c36212dec87c18315f2dd05aa3b84f2ee65915fbc16b68d822d287bbb9bcc042271bc8e76c595e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
ce95e5adb2c897880510e92928a7afef

SHA1
0a195b0812776ea436b4c1f38764f1f9b08e9db9

SHA256
1651bf9f4754eb0b164f59382d39c45f05408ee5f005c73dcb87468fb9cfeea9

SHA512
e3e818950c54e325b446be676d32451e702db43738fa107900e4c8e25b4d5794b3a04c7fbda3359a4dba3739b15d447d9d37f86cb12f94d89fcc29ddff1df54f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
c19a5d005fb5bf2a88638e94b3152210

SHA1
c562446a86e2e82f839dec0ea792230f57953abd

SHA256
9a7966a43d6c4657136818c3484bb6a89fd386b25618b22ead54879dc5d6bbb4

SHA512
1a15b09feb2c31c0000d8fea6da722a4a4adfa590022e23adeef39deccc9d1845be8f30642fa34d0ae78c24785da1b0a9bcaa9697d177b9516fa96998c9935d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
697c4d49bcd29ec7aa5f010d875da9df

SHA1
fe1b4bb4edd131657be00ca48362d36aba5d6481

SHA256
ecb810bc898a33832dbe31e5d10f2edb237bfedf44f0d4346cabe00ddf646b1f

SHA512
971f3ae4b060ba647de7526ff79ce3dcd19d4e38845176a549e3ba1b6efc26a37c6bd5a4d84eb907db66cd8b72486860f08f36b0bed9b7251fa932c3768a1be2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
1083f50d8e79dd0fa8661077de4211bc

SHA1
9bf3cd0a6b2320aef4ad4be159ff4ff1243cfc7c

SHA256
77c17e9cda2a6261995ff07b3ab11e18fe69d78b99824d282904d98f341bbeb8

SHA512
38a2ae1f0d8731939a94b40c46a5afa139d2f55395f7a6993904559b9a105bbf5cb760b6f5cb6c5e96e49d6fe32bb5b11e2e209f72e907f9a16534c877be3904

Download Submit
C:\Users\Admin\Documents\Monero\wallets\Admin\Admin

Filesize
4.0MB

MD5
84ad9742c5523f17f30ced0c3537159c

SHA1
a0a27cb12f76bea7ee1a92963c66b68d9f11a7aa

SHA256
935faa87aa57049d1b6e1987966e48039886ef157214835630ae7f5f1eba58f4

SHA512
023460a53bfa3bc7cbe1c6bcb873298c49caf83f8bbb64a46aa8bcebad01e5aa8e5a3774189fe72b02c16dbdc521441382fe69028d933fa49e4c2d1d71b88c61

Download Submit
C:\Users\Admin\Documents\Monero\wallets\Admin\Admin

Filesize
400KB

MD5
a5d976d02cefce02e1ebdd0c370c4f86

SHA1
ebd010b43ac3af79d34dedc475e6217302c8597f

SHA256
a16d3409b71040db06a813513ee1f0b827c0609fa618f60b59e8e6417588df33

SHA512
1cc4545a94d62d64cb7383ab3a705bee138427f7cdf39b4a78d47f32ca272da80078d4187924edbf611775ffcc6dce6bf6bfcf01eeafb45b326d25f42db36ec7

Download Submit
C:\Users\Admin\Documents\Monero\wallets\Admin\Admin.keys

Filesize
1KB

MD5
eef50f0d85c52e7f2a8ae5f0afdcdee1

SHA1
0979a893600642409b988222a7305df68466f253

SHA256
37811e2b121b242ebaa8aa4a6a256460f89e42087fceff704eaf12af5ad543e2

SHA512
35e39e21b9a57e9b09d4e4085ca6da06841a6fe38db467d4a30ca97d9b8722beed3427651b515f64f5842cacc4682fdd526c384a9fc6bfc83a12d7528799e2fe

Download Submit
C:\Users\Admin\Downloads\fakenet3.B8MqNN45.3.zip.part

Filesize
8.0MB

MD5
85de6b0dd12dcea4946c9854401f7788

SHA1
00286f22f65a617333a8ca2f1df1daa7b6fa392a

SHA256
cd3f263a01926366643118c541a6ad24a171b4369363a60deb9a570a1d600865

SHA512
2d30328d96d7aeb61834db4f2709e92d6226e06ab6e0fafce77dede7134ac30d5620c1603949a050e418ba4b09d524dd3d85229dbfa3915fc2510b035af34571

Download Submit
C:\Users\Public\Desktop\GUI Wallet.lnk

Filesize
968B

MD5
b09ef29c00c0e3b5ce7243070373f4f4

SHA1
32d2a118fc4353f63ac9ec65dcc05c9818d4194e

SHA256
06b1fe5fccd6ad6401b66d879f0f878eabe5a79e3de2abff478d3ae44022406e

SHA512
9b6e19d39f18d78a17dc1e32b7b6e29f4591209a8862a14a19fdf009c94346e1725c4ac0b2f23ddabe625b830cb2bd3028f79fe5252104c6525b977da7af1b07

Download Submit
memory/952-819-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/952-644-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1976-9-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1976-4-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1976-7-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1976-21-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1976-25-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3048-703-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/3048-663-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/3048-818-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/3048-758-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/3048-650-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/3460-413-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/3460-11-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/3460-0-0x00000000753BE000-0x00000000753BF000-memory.dmp

Filesize
4KB

Download
memory/3460-1-0x00000000006E0000-0x0000000000716000-memory.dmp

Filesize
216KB

Download
memory/6116-897-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/6116-920-0x000000000C400000-0x000000000C401000-memory.dmp

Filesize
4KB

Download
memory/6116-923-0x000000000D880000-0x000000000D881000-memory.dmp

Filesize
4KB

Download
memory/6116-926-0x000000000D8B0000-0x000000000D8B3000-memory.dmp

Filesize
12KB

Download
memory/6116-933-0x000000000D620000-0x000000000D621000-memory.dmp

Filesize
4KB

Download
memory/6116-932-0x000000000ACC0000-0x000000000ACC1000-memory.dmp

Filesize
4KB

Download
memory/6116-927-0x000000000D8B0000-0x000000000D8B3000-memory.dmp

Filesize
12KB

Download
memory/6116-928-0x000000000D880000-0x000000000D881000-memory.dmp

Filesize
4KB

Download
memory/6116-929-0x000000000D880000-0x000000000D881000-memory.dmp

Filesize
4KB

Download
memory/6116-930-0x000000000D620000-0x000000000D621000-memory.dmp

Filesize
4KB

Download
memory/6116-931-0x000000000D620000-0x000000000D621000-memory.dmp

Filesize
4KB

Download
memory/6116-925-0x000000000D8A0000-0x000000000D8A1000-memory.dmp

Filesize
4KB

Download
memory/6116-922-0x000000000D880000-0x000000000D881000-memory.dmp

Filesize
4KB

Download
memory/6116-913-0x000000000ACC0000-0x000000000ACC1000-memory.dmp

Filesize
4KB

Download
memory/6116-914-0x000000000ACC0000-0x000000000ACC1000-memory.dmp

Filesize
4KB

Download
memory/6116-915-0x000000000ACC0000-0x000000000ACC1000-memory.dmp

Filesize
4KB

Download
memory/6116-916-0x000000000ACC0000-0x000000000ACC1000-memory.dmp

Filesize
4KB

Download
memory/6116-917-0x000000000ACC0000-0x000000000ACC1000-memory.dmp

Filesize
4KB

Download
memory/6116-919-0x000000000D620000-0x000000000D621000-memory.dmp

Filesize
4KB

Download
memory/6116-912-0x000000000C400000-0x000000000C401000-memory.dmp

Filesize
4KB

Download
memory/6116-911-0x000000000C400000-0x000000000C401000-memory.dmp

Filesize
4KB

Download
memory/6116-909-0x000000000A8C0000-0x000000000A8C1000-memory.dmp

Filesize
4KB

Download
memory/6116-908-0x000000000ACC0000-0x000000000ACC1000-memory.dmp

Filesize
4KB

Download
memory/6116-907-0x000000000ACC0000-0x000000000ACC1000-memory.dmp

Filesize
4KB

Download
memory/6116-894-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/6116-895-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/6116-896-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/6116-906-0x000000000ACC0000-0x000000000ACC1000-memory.dmp

Filesize
4KB

Download
memory/6116-905-0x000000000ACC0000-0x000000000ACC1000-memory.dmp

Filesize
4KB

Download
memory/6116-898-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/6116-899-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/6116-900-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/6116-903-0x000000000A8C0000-0x000000000A8C1000-memory.dmp

Filesize
4KB

Download
memory/6116-901-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/6116-890-0x0000000008FB0000-0x00000000093F2000-memory.dmp

Filesize
4.3MB

Download
memory/6116-892-0x0000000009400000-0x0000000009602000-memory.dmp

Filesize
2.0MB

Download
memory/6672-4330-0x0000000074D50000-0x00000000752C8000-memory.dmp

Filesize
5.5MB

Download
memory/6672-4377-0x0000000074A60000-0x0000000074B74000-memory.dmp

Filesize
1.1MB

Download
memory/6672-4320-0x00000000756E0000-0x00000000756EC000-memory.dmp

Filesize
48KB

Download
memory/6672-4321-0x00000000756C0000-0x00000000756D6000-memory.dmp

Filesize
88KB

Download
memory/6672-4322-0x0000000075670000-0x000000007567C000-memory.dmp

Filesize
48KB

Download
memory/6672-4324-0x0000000075650000-0x000000007565D000-memory.dmp

Filesize
52KB

Download
memory/6672-4323-0x0000000075660000-0x000000007566C000-memory.dmp

Filesize
48KB

Download
memory/6672-4326-0x0000000075320000-0x000000007557C000-memory.dmp

Filesize
2.4MB

Download
memory/6672-4360-0x0000000075320000-0x000000007557C000-memory.dmp

Filesize
2.4MB

Download
memory/6672-4361-0x00000000756F0000-0x000000007570F000-memory.dmp

Filesize
124KB

Download
memory/6672-4362-0x00000000756E0000-0x00000000756EC000-memory.dmp

Filesize
48KB

Download
memory/6672-4363-0x00000000756C0000-0x00000000756D6000-memory.dmp

Filesize
88KB

Download
memory/6672-4364-0x0000000075670000-0x000000007567C000-memory.dmp

Filesize
48KB

Download
memory/6672-4365-0x0000000075660000-0x000000007566C000-memory.dmp

Filesize
48KB

Download
memory/6672-4366-0x0000000075650000-0x000000007565D000-memory.dmp

Filesize
52KB

Download
memory/6672-4367-0x0000000075620000-0x0000000075648000-memory.dmp

Filesize
160KB

Download
memory/6672-4368-0x0000000075580000-0x0000000075614000-memory.dmp

Filesize
592KB

Download
memory/6672-4369-0x00000000757A0000-0x0000000075BE3000-memory.dmp

Filesize
4.3MB

Download
memory/6672-4370-0x0000000075300000-0x0000000075315000-memory.dmp

Filesize
84KB

Download
memory/6672-4373-0x0000000074D20000-0x0000000074D4F000-memory.dmp

Filesize
188KB

Download
memory/6672-4374-0x0000000074D10000-0x0000000074D20000-memory.dmp

Filesize
64KB

Download
memory/6672-4375-0x0000000074B90000-0x0000000074BC5000-memory.dmp

Filesize
212KB

Download
memory/6672-4376-0x0000000074B80000-0x0000000074B8A000-memory.dmp

Filesize
40KB

Download
memory/6672-4319-0x00000000757A0000-0x0000000075BE3000-memory.dmp

Filesize
4.3MB

Download
memory/6672-4372-0x0000000074D50000-0x00000000752C8000-memory.dmp

Filesize
5.5MB

Download
memory/6672-4371-0x00000000752D0000-0x00000000752F7000-memory.dmp

Filesize
156KB

Download
memory/6672-4338-0x0000000075580000-0x0000000075614000-memory.dmp

Filesize
592KB

Download
memory/6672-4340-0x00000000030C0000-0x000000000331C000-memory.dmp

Filesize
2.4MB

Download
memory/6672-4336-0x0000000075620000-0x0000000075648000-memory.dmp

Filesize
160KB

Download
memory/6672-4337-0x0000000074A60000-0x0000000074B74000-memory.dmp

Filesize
1.1MB

Download
memory/6672-4334-0x0000000075650000-0x000000007565D000-memory.dmp

Filesize
52KB

Download
memory/6672-4335-0x0000000074B80000-0x0000000074B8A000-memory.dmp

Filesize
40KB

Download
memory/6672-4333-0x0000000074B90000-0x0000000074BC5000-memory.dmp

Filesize
212KB

Download
memory/6672-4332-0x0000000074D10000-0x0000000074D20000-memory.dmp

Filesize
64KB

Download
memory/6672-4331-0x00000000756C0000-0x00000000756D6000-memory.dmp

Filesize
88KB

Download
memory/6672-4328-0x00000000756F0000-0x000000007570F000-memory.dmp

Filesize
124KB

Download
memory/6672-4329-0x00000000752D0000-0x00000000752F7000-memory.dmp

Filesize
156KB

Download
memory/6672-4325-0x00000000030C0000-0x000000000331C000-memory.dmp

Filesize
2.4MB

Download
memory/6672-4327-0x00000000757A0000-0x0000000075BE3000-memory.dmp

Filesize
4.3MB

Download
memory/6884-4438-0x00000000757A0000-0x0000000075BE3000-memory.dmp

Filesize
4.3MB

Download
memory/6884-4439-0x00000000756E0000-0x00000000756EC000-memory.dmp

Filesize
48KB

Download
memory/6884-4440-0x00000000756C0000-0x00000000756D6000-memory.dmp

Filesize
88KB

Download
memory/6884-4441-0x0000000075670000-0x000000007567C000-memory.dmp

Filesize
48KB

Download
memory/6884-4442-0x0000000075650000-0x000000007565D000-memory.dmp

Filesize
52KB

Download
memory/6884-4443-0x0000000075580000-0x0000000075614000-memory.dmp

Filesize
592KB

Download
memory/7876-4214-0x0000000075650000-0x000000007565D000-memory.dmp

Filesize
52KB

Download
memory/7876-4216-0x0000000075620000-0x0000000075648000-memory.dmp

Filesize
160KB

Download
memory/7876-4241-0x0000000075320000-0x000000007557C000-memory.dmp

Filesize
2.4MB

Download
memory/7876-4242-0x00000000756F0000-0x000000007570F000-memory.dmp

Filesize
124KB

Download
memory/7876-4243-0x00000000756E0000-0x00000000756EC000-memory.dmp

Filesize
48KB

Download
memory/7876-4244-0x00000000756C0000-0x00000000756D6000-memory.dmp

Filesize
88KB

Download
memory/7876-4245-0x0000000075670000-0x000000007567C000-memory.dmp

Filesize
48KB

Download
memory/7876-4246-0x0000000075660000-0x000000007566C000-memory.dmp

Filesize
48KB

Download
memory/7876-4247-0x0000000075650000-0x000000007565D000-memory.dmp

Filesize
52KB

Download
memory/7876-4248-0x0000000075620000-0x0000000075648000-memory.dmp

Filesize
160KB

Download
memory/7876-4249-0x0000000075580000-0x0000000075614000-memory.dmp

Filesize
592KB

Download
memory/7876-4250-0x00000000757A0000-0x0000000075BE3000-memory.dmp

Filesize
4.3MB

Download
memory/7876-4251-0x0000000075300000-0x0000000075315000-memory.dmp

Filesize
84KB

Download
memory/7876-4192-0x00000000757A0000-0x0000000075BE3000-memory.dmp

Filesize
4.3MB

Download
memory/7876-4253-0x0000000074D50000-0x00000000752C8000-memory.dmp

Filesize
5.5MB

Download
memory/7876-4254-0x0000000074D20000-0x0000000074D4F000-memory.dmp

Filesize
188KB

Download
memory/7876-4255-0x0000000074D10000-0x0000000074D20000-memory.dmp

Filesize
64KB

Download
memory/7876-4256-0x0000000074B90000-0x0000000074BC5000-memory.dmp

Filesize
212KB

Download
memory/7876-4257-0x0000000074B80000-0x0000000074B8A000-memory.dmp

Filesize
40KB

Download
memory/7876-4258-0x0000000074A60000-0x0000000074B74000-memory.dmp

Filesize
1.1MB

Download
memory/7876-4252-0x00000000752D0000-0x00000000752F7000-memory.dmp

Filesize
156KB

Download
memory/7876-4220-0x0000000003CC0000-0x0000000003F1C000-memory.dmp

Filesize
2.4MB

Download
memory/7876-4221-0x00000000749D0000-0x00000000749DB000-memory.dmp

Filesize
44KB

Download
memory/7876-4219-0x0000000075580000-0x0000000075614000-memory.dmp

Filesize
592KB

Download
memory/7876-4217-0x0000000074A60000-0x0000000074B74000-memory.dmp

Filesize
1.1MB

Download
memory/7876-4194-0x00000000756E0000-0x00000000756EC000-memory.dmp

Filesize
48KB

Download
memory/7876-4215-0x0000000074B80000-0x0000000074B8A000-memory.dmp

Filesize
40KB

Download
memory/7876-4212-0x0000000075660000-0x000000007566C000-memory.dmp

Filesize
48KB

Download
memory/7876-4213-0x0000000074B90000-0x0000000074BC5000-memory.dmp

Filesize
212KB

Download
memory/7876-4211-0x0000000074D10000-0x0000000074D20000-memory.dmp

Filesize
64KB

Download
memory/7876-4209-0x00000000756C0000-0x00000000756D6000-memory.dmp

Filesize
88KB

Download
memory/7876-4210-0x0000000074D20000-0x0000000074D4F000-memory.dmp

Filesize
188KB

Download
memory/7876-4207-0x00000000756E0000-0x00000000756EC000-memory.dmp

Filesize
48KB

Download
memory/7876-4208-0x0000000074D50000-0x00000000752C8000-memory.dmp

Filesize
5.5MB

Download
memory/7876-4205-0x00000000756F0000-0x000000007570F000-memory.dmp

Filesize
124KB

Download
memory/7876-4206-0x00000000752D0000-0x00000000752F7000-memory.dmp

Filesize
156KB

Download
memory/7876-4204-0x0000000075300000-0x0000000075315000-memory.dmp

Filesize
84KB

Download
memory/7876-4200-0x0000000075580000-0x0000000075614000-memory.dmp

Filesize
592KB

Download
memory/7876-4201-0x0000000003CC0000-0x0000000003F1C000-memory.dmp

Filesize
2.4MB

Download
memory/7876-4202-0x0000000075320000-0x000000007557C000-memory.dmp

Filesize
2.4MB

Download
memory/7876-4203-0x00000000757A0000-0x0000000075BE3000-memory.dmp

Filesize
4.3MB

Download
memory/7876-4199-0x0000000075620000-0x0000000075648000-memory.dmp

Filesize
160KB

Download
memory/7876-4196-0x0000000075670000-0x000000007567C000-memory.dmp

Filesize
48KB

Download
memory/7876-4197-0x0000000075660000-0x000000007566C000-memory.dmp

Filesize
48KB

Download
memory/7876-4198-0x0000000075650000-0x000000007565D000-memory.dmp

Filesize
52KB

Download
memory/7876-4195-0x00000000756C0000-0x00000000756D6000-memory.dmp

Filesize
88KB

Download
memory/7876-4193-0x00000000756F0000-0x000000007570F000-memory.dmp

Filesize
124KB

Download