healer | 440abc5db3efed296663a525774c5d7eac845c042366a8ff5a02021b7f27e327

Analysis

max time kernel
67s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/02/2025, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/random_3.exe
Size

429KB
MD5

a92d6465d69430b38cbc16bf1c6a7210
SHA1

421fadebee484c9d19b9cb18faf3b0f5d9b7a554
SHA256

3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
SHA512

0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345
SSDEEP

6144:Q/RCey1AxsmF1cQxQ3KcTN3Wz40v1fwb6prdotQ6g0MQYSE2/H9yQ+iT5gc7AOOp:Q/RCey1AxsmUQ63NmjyQ6g0MQYZc7Kb

Score

10^/10

healer lumma vidar credential_access defense_evasion discovery dropper execution spyware stealer upx

Malware Config

Extracted

Family

vidar

https://t.me/g02f04

https://steamcommunity.com/profiles/76561199828130190

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

lumma

https://embarkiffe.shop/api

Signatures

Detect Vidar Stealer 19 IoCs

stealer

resource	yara_rule
behavioral9/memory/2024-244-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-407-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-480-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-479-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-498-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-571-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-593-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-590-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-615-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-648-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-657-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-676-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-680-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-701-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-704-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-723-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-724-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-784-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral9/memory/2024-804-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral9/memory/596-1167-0x0000000000F50000-0x00000000013C0000-memory.dmp	healer
behavioral9/memory/596-1168-0x0000000000F50000-0x00000000013C0000-memory.dmp	healer
behavioral9/memory/596-1204-0x0000000000F50000-0x00000000013C0000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bgUvqLl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Y9WG5Ep.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2664	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
5	2904	rapes.exe

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
376	chrome.exe
924	chrome.exe
2084	chrome.exe
1528	chrome.exe

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral9/files/0x0005000000018792-68.dat	net_reactor
behavioral9/memory/1140-80-0x0000000000D50000-0x0000000000E26000-memory.dmp	net_reactor
behavioral9/files/0x00070000000190e0-284.dat	net_reactor
behavioral9/memory/668-296-0x0000000000D20000-0x0000000000DF6000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bgUvqLl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bgUvqLl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Y9WG5Ep.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Y9WG5Ep.exe

Executes dropped EXE 10 IoCs

pid	Process
2904	rapes.exe
2724	q3na5Mc.exe
2988	bgUvqLl.exe
1592	Y9WG5Ep.exe
1140	wKG7rkG.exe
1656	wKG7rkG.exe
1304	c78cf2b03a.exe
688	c78cf2b03a.exe
668	8NsQP4U.exe
1548	8NsQP4U.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	bgUvqLl.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	Y9WG5Ep.exe

Loads dropped DLL 24 IoCs

pid	Process
2484	random_3.exe
2904	rapes.exe
2904	rapes.exe
2904	rapes.exe
2904	rapes.exe
2904	rapes.exe
2904	rapes.exe
2904	rapes.exe
1140	wKG7rkG.exe
912	WerFault.exe
912	WerFault.exe
912	WerFault.exe
2904	rapes.exe
2904	rapes.exe
1304	c78cf2b03a.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2904	rapes.exe
2904	rapes.exe
668	8NsQP4U.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
92	bitbucket.org
95	bitbucket.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral9/files/0x0005000000019cad-1003.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2988	bgUvqLl.exe
1592	Y9WG5Ep.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1140 set thread context of 1656	1140	wKG7rkG.exe	38
PID 1304 set thread context of 688	1304	c78cf2b03a.exe	42
PID 2724 set thread context of 2024	2724	q3na5Mc.exe	44
PID 668 set thread context of 1548	668	8NsQP4U.exe	46

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral9/files/0x000500000000b3e1-844.dat	upx
behavioral9/memory/820-857-0x0000000000980000-0x00000000013ED000-memory.dmp	upx
behavioral9/memory/820-854-0x0000000000980000-0x00000000013ED000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	random_3.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
912	1140	WerFault.exe	37
2356	1304	WerFault.exe	40
1648	668	WerFault.exe	45
1776	2400	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wKG7rkG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c78cf2b03a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c78cf2b03a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8NsQP4U.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8NsQP4U.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q3na5Mc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wKG7rkG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random_3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bgUvqLl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Y9WG5Ep.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BitLockerToGo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BitLockerToGo.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1920	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
1140	taskkill.exe
2816	taskkill.exe
1324	taskkill.exe
1620	taskkill.exe
2760	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	8NsQP4U.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	rapes.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rapes.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rapes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	8NsQP4U.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	8NsQP4U.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2988	bgUvqLl.exe
2988	bgUvqLl.exe
2988	bgUvqLl.exe
2988	bgUvqLl.exe
2988	bgUvqLl.exe
1592	Y9WG5Ep.exe
1592	Y9WG5Ep.exe
1592	Y9WG5Ep.exe
1592	Y9WG5Ep.exe
1592	Y9WG5Ep.exe
1656	wKG7rkG.exe
1656	wKG7rkG.exe
1656	wKG7rkG.exe
1656	wKG7rkG.exe
688	c78cf2b03a.exe
688	c78cf2b03a.exe
688	c78cf2b03a.exe
688	c78cf2b03a.exe
1548	8NsQP4U.exe
1548	8NsQP4U.exe
1548	8NsQP4U.exe
1548	8NsQP4U.exe
2024	BitLockerToGo.exe
2024	BitLockerToGo.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe
Token: SeShutdownPrivilege	1528	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2484	random_3.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2904	2484	random_3.exe	31
PID 2484 wrote to memory of 2904	2484	random_3.exe	31
PID 2484 wrote to memory of 2904	2484	random_3.exe	31
PID 2484 wrote to memory of 2904	2484	random_3.exe	31
PID 2904 wrote to memory of 2724	2904	rapes.exe	33
PID 2904 wrote to memory of 2724	2904	rapes.exe	33
PID 2904 wrote to memory of 2724	2904	rapes.exe	33
PID 2904 wrote to memory of 2724	2904	rapes.exe	33
PID 2904 wrote to memory of 2724	2904	rapes.exe	33
PID 2904 wrote to memory of 2724	2904	rapes.exe	33
PID 2904 wrote to memory of 2724	2904	rapes.exe	33
PID 2904 wrote to memory of 2988	2904	rapes.exe	34
PID 2904 wrote to memory of 2988	2904	rapes.exe	34
PID 2904 wrote to memory of 2988	2904	rapes.exe	34
PID 2904 wrote to memory of 2988	2904	rapes.exe	34
PID 2904 wrote to memory of 1592	2904	rapes.exe	36
PID 2904 wrote to memory of 1592	2904	rapes.exe	36
PID 2904 wrote to memory of 1592	2904	rapes.exe	36
PID 2904 wrote to memory of 1592	2904	rapes.exe	36
PID 2904 wrote to memory of 1140	2904	rapes.exe	37
PID 2904 wrote to memory of 1140	2904	rapes.exe	37
PID 2904 wrote to memory of 1140	2904	rapes.exe	37
PID 2904 wrote to memory of 1140	2904	rapes.exe	37
PID 1140 wrote to memory of 1656	1140	wKG7rkG.exe	38
PID 1140 wrote to memory of 1656	1140	wKG7rkG.exe	38
PID 1140 wrote to memory of 1656	1140	wKG7rkG.exe	38
PID 1140 wrote to memory of 1656	1140	wKG7rkG.exe	38
PID 1140 wrote to memory of 1656	1140	wKG7rkG.exe	38
PID 1140 wrote to memory of 1656	1140	wKG7rkG.exe	38
PID 1140 wrote to memory of 1656	1140	wKG7rkG.exe	38
PID 1140 wrote to memory of 1656	1140	wKG7rkG.exe	38
PID 1140 wrote to memory of 1656	1140	wKG7rkG.exe	38
PID 1140 wrote to memory of 1656	1140	wKG7rkG.exe	38
PID 1140 wrote to memory of 912	1140	wKG7rkG.exe	39
PID 1140 wrote to memory of 912	1140	wKG7rkG.exe	39
PID 1140 wrote to memory of 912	1140	wKG7rkG.exe	39
PID 1140 wrote to memory of 912	1140	wKG7rkG.exe	39
PID 2904 wrote to memory of 1304	2904	rapes.exe	40
PID 2904 wrote to memory of 1304	2904	rapes.exe	40
PID 2904 wrote to memory of 1304	2904	rapes.exe	40
PID 2904 wrote to memory of 1304	2904	rapes.exe	40
PID 1304 wrote to memory of 688	1304	c78cf2b03a.exe	42
PID 1304 wrote to memory of 688	1304	c78cf2b03a.exe	42
PID 1304 wrote to memory of 688	1304	c78cf2b03a.exe	42
PID 1304 wrote to memory of 688	1304	c78cf2b03a.exe	42
PID 1304 wrote to memory of 688	1304	c78cf2b03a.exe	42
PID 1304 wrote to memory of 688	1304	c78cf2b03a.exe	42
PID 1304 wrote to memory of 688	1304	c78cf2b03a.exe	42
PID 1304 wrote to memory of 688	1304	c78cf2b03a.exe	42
PID 1304 wrote to memory of 688	1304	c78cf2b03a.exe	42
PID 1304 wrote to memory of 688	1304	c78cf2b03a.exe	42
PID 1304 wrote to memory of 2356	1304	c78cf2b03a.exe	43
PID 1304 wrote to memory of 2356	1304	c78cf2b03a.exe	43
PID 1304 wrote to memory of 2356	1304	c78cf2b03a.exe	43
PID 1304 wrote to memory of 2356	1304	c78cf2b03a.exe	43
PID 2724 wrote to memory of 2024	2724	q3na5Mc.exe	44
PID 2724 wrote to memory of 2024	2724	q3na5Mc.exe	44
PID 2724 wrote to memory of 2024	2724	q3na5Mc.exe	44
PID 2724 wrote to memory of 2024	2724	q3na5Mc.exe	44
PID 2724 wrote to memory of 2024	2724	q3na5Mc.exe	44
PID 2724 wrote to memory of 2024	2724	q3na5Mc.exe	44
PID 2724 wrote to memory of 2024	2724	q3na5Mc.exe	44
PID 2724 wrote to memory of 2024	2724	q3na5Mc.exe	44
PID 2724 wrote to memory of 2024	2724	q3na5Mc.exe	44

C:\Users\Admin\AppData\Local\Temp\quarantine\random_3.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\random_3.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe
    "C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2024
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1528
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6c99758,0x7fef6c99768,0x7fef6c99778
        6⤵
        
        PID:1484
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:772
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1192,i,9479429815612885505,9158386453638718953,131072 /prefetch:2
        6⤵
        
        PID:1644
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1192,i,9479429815612885505,9158386453638718953,131072 /prefetch:8
        6⤵
        
        PID:1052
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1192,i,9479429815612885505,9158386453638718953,131072 /prefetch:8
        6⤵
        
        PID:2848
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1048 --field-trial-handle=1192,i,9479429815612885505,9158386453638718953,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:376
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1192,i,9479429815612885505,9158386453638718953,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:924
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1392 --field-trial-handle=1192,i,9479429815612885505,9158386453638718953,131072 /prefetch:2
        6⤵
        
        PID:992
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2268 --field-trial-handle=1192,i,9479429815612885505,9158386453638718953,131072 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2084
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3484 --field-trial-handle=1192,i,9479429815612885505,9158386453638718953,131072 /prefetch:8
        6⤵
        
        PID:3048
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3604 --field-trial-handle=1192,i,9479429815612885505,9158386453638718953,131072 /prefetch:8
        6⤵
        
        PID:2544
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 --field-trial-handle=1192,i,9479429815612885505,9158386453638718953,131072 /prefetch:8
        6⤵
        
        PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\zmglf" & exit
        5⤵
        
        PID:2976
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        Delays execution with timeout.exe
        
        PID:1920
- - C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe
    "C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2988
- - C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe
    "C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1592
- - C:\Users\Admin\AppData\Local\Temp\10001080101\wKG7rkG.exe
    "C:\Users\Admin\AppData\Local\Temp\10001080101\wKG7rkG.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\10001080101\wKG7rkG.exe
      "C:\Users\Admin\AppData\Local\Temp\10001080101\wKG7rkG.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 500
      4⤵
      Loads dropped DLL
      Program crash
      PID:912
- - C:\Users\Admin\AppData\Local\Temp\10003000101\c78cf2b03a.exe
    "C:\Users\Admin\AppData\Local\Temp\10003000101\c78cf2b03a.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\10003000101\c78cf2b03a.exe
      "C:\Users\Admin\AppData\Local\Temp\10003000101\c78cf2b03a.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 68
      4⤵
      Loads dropped DLL
      Program crash
      PID:2356
- - C:\Users\Admin\AppData\Local\Temp\10007960101\8NsQP4U.exe
    "C:\Users\Admin\AppData\Local\Temp\10007960101\8NsQP4U.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:668
  - - C:\Users\Admin\AppData\Local\Temp\10007960101\8NsQP4U.exe
      "C:\Users\Admin\AppData\Local\Temp\10007960101\8NsQP4U.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:1548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 504
      4⤵
      Loads dropped DLL
      Program crash
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe
    "C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe"
    3⤵
    PID:2128
- - C:\Users\Admin\AppData\Local\Temp\10009960101\0iMSdYX.exe
    "C:\Users\Admin\AppData\Local\Temp\10009960101\0iMSdYX.exe"
    3⤵
    PID:2080
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\nahprot.bat" "
      4⤵
      PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\Admin\AppData\Roaming\nahprot.bat' -ArgumentList 'gOsYxjsoymkBmrzpQYy' -WindowStyle Hidden"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2664
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\nahprot.bat" gOsYxjsoymkBmrzpQYy "
        6⤵
        
        PID:2364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"
        7⤵
        
        PID:928
        
        C:\Windows\system32\findstr.exe
        
        "C:\Windows\system32\findstr.exe" /i WDS100T2B0A
        8⤵
        
        PID:2956
- - C:\Users\Admin\AppData\Local\Temp\10010280101\jC506fQ.exe
    "C:\Users\Admin\AppData\Local\Temp\10010280101\jC506fQ.exe"
    3⤵
    PID:820
- - C:\Users\Admin\AppData\Local\Temp\10010480101\RHPLumH.exe
    "C:\Users\Admin\AppData\Local\Temp\10010480101\RHPLumH.exe"
    3⤵
    PID:2056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      4⤵
      PID:320
- - C:\Users\Admin\AppData\Local\Temp\10010510101\bgjeiNH.exe
    "C:\Users\Admin\AppData\Local\Temp\10010510101\bgjeiNH.exe"
    3⤵
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\10010510101\bgjeiNH.exe
      "C:\Users\Admin\AppData\Local\Temp\10010510101\bgjeiNH.exe"
      4⤵
      PID:2188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 500
      4⤵
      Program crash
      PID:1776
- - C:\Users\Admin\AppData\Local\Temp\10011910101\2ee628e0f3.exe
    "C:\Users\Admin\AppData\Local\Temp\10011910101\2ee628e0f3.exe"
    3⤵
    PID:3020
- - C:\Users\Admin\AppData\Local\Temp\10011920101\34ebed4ae8.exe
    "C:\Users\Admin\AppData\Local\Temp\10011920101\34ebed4ae8.exe"
    3⤵
    PID:2780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:1620
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:2760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:1140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:2816
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:1324
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:2580
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:552
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="552.0.980481071\84256713" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1487bd6-8522-4582-8ef0-4461ebd566c4} 552 "\\.\pipe\gecko-crash-server-pipe.552" 1304 10dd6d58 gpu
        6⤵
        
        PID:2772
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="552.1.998736020\336225685" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b58fb913-989f-43f7-bee7-d72e4498320a} 552 "\\.\pipe\gecko-crash-server-pipe.552" 1508 d74558 socket
        6⤵
        
        PID:1968
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="552.2.1031909833\249838530" -childID 1 -isForBrowser -prefsHandle 2068 -prefMapHandle 2064 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b977129-7f0a-4187-a343-7057c7ddf2c0} 552 "\\.\pipe\gecko-crash-server-pipe.552" 1940 1a19b858 tab
        6⤵
        
        PID:2552
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="552.3.1106771051\526217202" -childID 2 -isForBrowser -prefsHandle 2948 -prefMapHandle 2944 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdd94471-2f24-45a8-a2a5-7843f5e3e152} 552 "\\.\pipe\gecko-crash-server-pipe.552" 2960 1b636e58 tab
        6⤵
        
        PID:1244
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="552.4.1172692489\1231129329" -childID 3 -isForBrowser -prefsHandle 3800 -prefMapHandle 3804 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4113f749-761d-448c-bc4d-7e50dac015c1} 552 "\\.\pipe\gecko-crash-server-pipe.552" 3816 20873758 tab
        6⤵
        
        PID:2584
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="552.5.238273862\1783441525" -childID 4 -isForBrowser -prefsHandle 3924 -prefMapHandle 3928 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae05156e-141e-4da1-80bc-de6e29235dae} 552 "\\.\pipe\gecko-crash-server-pipe.552" 3912 20875258 tab
        6⤵
        
        PID:1792
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="552.6.1396124770\224378926" -childID 5 -isForBrowser -prefsHandle 4088 -prefMapHandle 4092 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b66b770-6143-4fea-95d8-371b29748b92} 552 "\\.\pipe\gecko-crash-server-pipe.552" 4076 20875858 tab
        6⤵
        
        PID:2188
- - C:\Users\Admin\AppData\Local\Temp\10011930101\c29852d5bc.exe
    "C:\Users\Admin\AppData\Local\Temp\10011930101\c29852d5bc.exe"
    3⤵
    PID:596
- - C:\Users\Admin\AppData\Local\Temp\10011940101\18fdc13e37.exe
    "C:\Users\Admin\AppData\Local\Temp\10011940101\18fdc13e37.exe"
    3⤵
    PID:1188
- - C:\Users\Admin\AppData\Local\Temp\10011950101\689eb38c4e.exe
    "C:\Users\Admin\AppData\Local\Temp\10011950101\689eb38c4e.exe"
    3⤵
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\10011960101\092bfedaca.exe
    "C:\Users\Admin\AppData\Local\Temp\10011960101\092bfedaca.exe"
    3⤵
    PID:3736

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adc696586a62d3dc7885715babf83fc1

SHA1
a56c9166a29a21431e5964c2c6dc5cb758b5d402

SHA256
ee8864ea68b56d7f8affb3000355314239daa8e1722abf11987ff80d570049c4

SHA512
9ec11b9299dc091e5b6ab4b348cea4a95c54c24b04b5c3e3032101641df9f839e19c7dbd8d251f897b27b933b9d324084f27e3206d4bcf08e8f9e6df5ceea8b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e735e8c11222339cca75138536b3aef

SHA1
004a052ce955fcb8b4699896d1ee7b39e3cce449

SHA256
9bdccd202a0517c3bcac300732b7f1ec65df5a61fa5affa65c7a25b0e62bd9dd

SHA512
6428c5399c486b88f78092a7b1ae9e30bc8e9748b8c50fefd1d6a96e3ca2b76a7fca3ec3d9094f5c8e179169fabeaec456d253c9cbf496dabaa65b1a3ea4936b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
137b3d3d8d275f61d0619ce390af2fa8

SHA1
056f1a69a9713c2d6f3c50723a26f0b81026063b

SHA256
5c56f17931ccccc32aff8e97f18494ba10f431a5c91f9967d18d91fef45b28e7

SHA512
cd7d415b17ea4c5f7ef179000bdcb6f0d7608099afa21a8adf8a11726cdc1b4d53947c09b310eba9c17ccd1de549eb3a4f215cdede6a250553598a0f53a9fd3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
741b03a31615134d5ccd4702b2c98753

SHA1
bead4e2b2e1a2ddd270f36805c3d266966606121

SHA256
ca3939801df2c84347b5b6de9b222aba1207a016134f6855ad39ee6fdcec51e9

SHA512
cdef52029ad0c1482cd9a597fa6e0b33c9d1e383ee6c8593a71f804906891a2e31caacbdba3041684cc6ac8f2dd82bba6e8386f859d9ca0ee912046543e8cbe9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
30KB

MD5
77b49a2eadc69c05f8f8f98da0fd41a4

SHA1
4fd28acf18134cb837b8f22ccdaa305d3f6050f3

SHA256
1ee27e2b7a3f1a34617e7dcf97b518755b28a21a5e6ccdc18d00d27d708723a9

SHA512
d1871c656f514f2e6aaef8cd6e968b1cee53b08c272234de53bdf191a57228cf2de7aae3d6ec501186d2079c3130d102b334a3714d4df7d1107a30c6d9960243

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000300101\q3na5Mc.exe

Filesize
8.7MB

MD5
1684e9b9f85aaf93d1a90063d386b67f

SHA1
4ee1fb056218b85f39cd3a35c702aebf00d78f25

SHA256
3d4a254a1e3f1774d188d81c22f4db19d0cd3d6b47eb034ecfcd15a5667a45a0

SHA512
1c3dd0f07a1daa62e7af3b4ef2120ff722b3e7cd8cdf61713812e2945314f108fa1e66468fa28d1f23a996bf9016bd1f3aab2dd98f40492793f9dc5924939559

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000540101\bgUvqLl.exe

Filesize
2.8MB

MD5
21cbf1c19605fa8a2dc9cd40990139ca

SHA1
a2c2c891b7f156bbf46428889cec083a4ae1b94c

SHA256
2bed46c8233ce24e911ae5264ffd59ec0932e711c2e5ba8d4171d34684d156ac

SHA512
43fe77ca93a34fdab17e508933c5476b149103320cce0abd44ea5bbe7ab91eec9990c3fce591f0ccd677b375ca74225e45d27638e5459e949cd18d78a61e3e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000650101\Y9WG5Ep.exe

Filesize
2.8MB

MD5
94d7289747041efa94370702bf2d4727

SHA1
62f79d15ad0f5d08bfacaf4628f818c2e391ab05

SHA256
b2a5a1847fed215237dceb8224e7273f01883b2015be8af271b8979ce98820d2

SHA512
90f31082d2c4d1e09e16561c48fa2cbd1f6b80e111d030e4524c4044d67db8cb359064e0afd0d1f112500b76ac5f68f811419042ba533df0c48808e51f6bc70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001080101\wKG7rkG.exe

Filesize
830KB

MD5
de31bee3196304b8023cd619b8c71af0

SHA1
b60774212ab0fe80d880c744b6fbec3839617468

SHA256
93187f4638988da44440e5b2b589af4e9611d8bc6732888961ba78f31b770c90

SHA512
66ba6c7226dfa132441f28dd343c33ba9ef218b878e32057cb1f78e0b889dabdb5317f39062aeadaf889f36bddc9efece18cee9027562dac68ce53401bccff26

Download Submit
C:\Users\Admin\AppData\Local\Temp\10003000101\c78cf2b03a.exe

Filesize
680KB

MD5
a4c5a4d643977f476f1e0048b68c7d54

SHA1
2e09cf27a9525a9e571ae8a8fc332505b8701d87

SHA256
5654aa0407c06a1dd21ad9c169b082683297b32a967bbd5cef28bb935f1885c7

SHA512
8849a7a62e83162d521012c08806e2d0d210ae531d3ef9be52d4d02761e24b488534d788d6917b17e35c21e124c24ad08e5b62123d407cb65138444dabf8e650

Download Submit
C:\Users\Admin\AppData\Local\Temp\10007960101\8NsQP4U.exe

Filesize
818KB

MD5
867903a3686f5cc6f5b9127cdfde51c7

SHA1
c5ae9fb62c4d05b230066191f8edf91dc8fa986a

SHA256
b2370b04f1b422b817299a8e6e17e30d60583b443f5923479462d2823a929706

SHA512
0d54991e4efe890a8603d9c30b279a311a944379634abf626fb985d9212c3b486aef4d8a721104bd25dd3c55c4d59dc0ecdf2ac98c1edd826eaee7f098892680

Download Submit
C:\Users\Admin\AppData\Local\Temp\10008470101\E3WGlpL.exe

Filesize
2.9MB

MD5
522da810421341bcb17cbbc6c3a5b985

SHA1
400ac9b327e8b78c1d6171c95248bd527cf8adef

SHA256
4fdde450218490a8708204630aa45ab49241504d84bce8309319ab7b41f669b0

SHA512
46f49554ea5096a3fb47efa2421ef1c7b35dbec3519c28eb74bd3705a2366e54e946909c043b46477c00f2bacef6e6ffe733c613098763bf8ce56a42fbed36a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10009960101\0iMSdYX.exe

Filesize
10.2MB

MD5
6e17c374e3828297ad1b8e40b3809c0c

SHA1
44a28a2765149422d8384cda169c1cff77dee40c

SHA256
fca0a09f36e3113cb76d31db06e30dc531a59556e237965ed0a7ebf33ffce11f

SHA512
85426da583c9767ca6ddcfbac76b3e974ae10f6f93366a2e8f955fd1cffcaf016d16e380287eb2533a723283fa3134aca1327e1a79668fba314747fde5807032

Download Submit
C:\Users\Admin\AppData\Local\Temp\10010280101\jC506fQ.exe

Filesize
551KB

MD5
cb60829314ce86dd8f1fb3fe6f083aff

SHA1
7ca2487b3ccce1b0bb298395f86df8dbe7283298

SHA256
20c9eae56214653b0834e3da203c68edeedfe8bcc76e41472c1aef766d84b059

SHA512
321dd8664eeadb9182a44422cd09e9cb57c4514233a12463139a22fc5eb0edecc2f252ca1218222ccc303170f996653712c2ae492c2877582236a4355db994fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10010480101\RHPLumH.exe

Filesize
4.0MB

MD5
8d0868398de40e6e16a7c541f07e5e09

SHA1
f234a679a7888427b3d78d2c56fc1fc60e84bb78

SHA256
d3477c131aada6b4af6ac738bc3d2d08785d5b8c981e92e621013b4653c651bb

SHA512
c134a2e9545d136716e56adba8efd9cd7c21ac4b2948efe7d482708474e1b00117382093f90ea51af72d93787cff07c490b917afa6918d4537a2b7687cbab86c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10010510101\bgjeiNH.exe

Filesize
669KB

MD5
d0a5c48da36400273b11983010a21037

SHA1
406db6efac7c519ef88cbf0e7ac101fe71f59d82

SHA256
3954800c8ab54fc58cf67954d44f20565b82e2f75487076bfec4e652ef482cac

SHA512
0a6f5242ace7b57cf71fab5beadf41d542056e83634ae54bd38f7513c62f385ab4880222f982e88bc0af1cc17a04d6aedab334472967dd135c74825cbfa118e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10011910101\2ee628e0f3.exe

Filesize
3.0MB

MD5
60455f9365c5a588dcfefe049b3df452

SHA1
968cb01b0a60c32ae306329c2b02c4e61222325e

SHA256
3caccfa3c3dad8e81d17ba01c2874c74fd7329d5b484950cc2ce314f0b436dba

SHA512
f25b37f3bf8bbcd6b1c3d0e49dde1a5f67fa331d8fd876e94ac90453aa7352df4843a809d4adb80c389288b9fc5b0a6b485ec51cea4b5e8dc592f66668adfac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10011920101\34ebed4ae8.exe

Filesize
948KB

MD5
1e4a5d453a53f6e29f5a38d5e7346ced

SHA1
edfd240ce2a90b64a3f01b7312f70e063cc7132b

SHA256
eb1e9e52eea209244ce7d4e4ebdfb4ebda61fddda29e9b19f9893112c437becd

SHA512
073cb2eed03183ccb9b78843fc6f5e1e015f03b761927a3d03687f9421835980cf1da529e060c45c3f10f1866abdc55ea04425a6f6d339b65038c3f18a37d3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\10011930101\c29852d5bc.exe

Filesize
1.7MB

MD5
0821aec85f45e2dc418f7679840cc6cb

SHA1
34a9ad5ada7ed4dd3708fa28340b495a76bd1978

SHA256
a2e8dec5595834c5c2d6a528f64a80d2e8ae8196a4299520d29083aa033e8647

SHA512
77e48ffa9e2aeecdb7c94a0a871e9b3ea90f727343b386707159edb835e1f27eed20a0d9c37eceaaa7d02687f7ac955cbaff09928c1db8dea6c0d7e7afe73535

Download Submit
C:\Users\Admin\AppData\Local\Temp\10011940101\18fdc13e37.exe

Filesize
2.8MB

MD5
ee826c9bbd867ced6522ec1972c0673f

SHA1
c98e1d991db26ad5856aae19bfec0eac433e1bfd

SHA256
4689caa8c98791cc18828b08579c2b8e6756b2a1059bccd7fccb9f376b89c374

SHA512
89aa06483d5e63d211f7f76b124d59b9321f372d7b59b64d1bf70564b3815a9df4fb73c55e7f7bd80b8108621f91845e9c388703d682805f2b9a57e6bd19dc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10011950101\689eb38c4e.exe

Filesize
3.8MB

MD5
5a4ab597ed3024a1aaf6922eba22b724

SHA1
65285af68a9a8e469f0cc6b2ae9f3ac4bff3bdad

SHA256
16a6b52e068795ff9be36e5867d35d062e096533f96b923ace6733ea6a00d247

SHA512
7f638727760491f71cf48d20ceebb05644a19f1ced9835b53719358e7cb8c522e18afbacc566d9a95d14033c3758c2b1bb053ef72e59de088a7dcadec2f5efc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10011960101\092bfedaca.exe

Filesize
2.8MB

MD5
5501ead204f5c1f1490ade039664da0c

SHA1
8a4ebbb6c89ffe7271c7edfa4915453cdc1f59ca

SHA256
1aa6a78073048e3964f921581517e69bcdb8940cc6a5ea1dff166b973291d46c

SHA512
964bfb03c0cb884d175ec11762e0ca778c67812e7d5f2d2f32faf3941b46e9a4fd8acd04117933860e4f0bd8ac7a638c5a9e2fcd1d981f3ec18a0a0ceb44a6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB119.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB16A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
429KB

MD5
a92d6465d69430b38cbc16bf1c6a7210

SHA1
421fadebee484c9d19b9cb18faf3b0f5d9b7a554

SHA256
3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77

SHA512
0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CCABS70C5XKLG48RHOBR.temp

Filesize
7KB

MD5
c316477f414347b80083e4ba4c98ece6

SHA1
0a8aeb1481c1ec936808307f75528fe6a213b006

SHA256
6de33c87a434c726ddde1bb465e83a4a7e69ff92cf99e112b575f8fd38b52a0b

SHA512
ce3282f477e30ce2afacb19dd7b2b26ae3b5af20b58546323acbc0466379a6b7f9844395fd0b557ea7709812d2419b18d17316e13dac276a92a3efd851920648

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
7da5ca3c470b42bc440db856d5a3eec7

SHA1
f99e67ba6df73c0d2f444664a6acd9a4a460b6d9

SHA256
39d5265176b683c0d1b64f8edc6e72848047d1c19a6c8bf5da5ed764aa33bf0e

SHA512
d4bd4f4d6a69c5454bd02082e69264f17a05e9a7b556a6c2a975759097c2ed9aa8fe61bdf8825d5814b130945853801ed1186634a2fe54f87c392dad6285bf4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\434d28fd-955b-4b67-9f77-5034f85c2ad3

Filesize
12KB

MD5
dc574052b3562c4b5b6d7849d5e7505b

SHA1
1f663c6708d1864cf42db4ffd4f6b39121f25dbf

SHA256
ab10a79c766a43011669f92e6f9306a0b56c00b803707bccf84f139c742c1337

SHA512
a97f575b640c82b90308820edebc57d0d6c28740b3fe7eb41758fab96c30684010a2f7ba492650ef06d79ccede481bdb57f46f31fada436d08e4f4ba245a1d41

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\b65f0e89-b8c4-47e6-8bf6-4e74585378e6

Filesize
745B

MD5
122a23287b9d1414e18ca7758c3d5111

SHA1
692832dd8bd52a1ab1f3072618b9a5a5772dcf96

SHA256
7b62d8f2bc67fa6eb697dc693f425395d06734d1e7652d4977576ca3909ea948

SHA512
989eb30241a68f9177d72ab16e037af4fcbb142eb5cf6e64d8badc3edf2c5a0571f67c1611814e724d88f5afb10acdc7546b33ace7223e25171fc49206fb40db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
10.2MB

MD5
b63b0a7ea9dac6a5d1b13a0a70bf5036

SHA1
dd7d444c55cabb5b02aa37e4e205cd0618e91ca5

SHA256
98a33b2c827e9ee7488f8ce88fbeabcc969517d8c0ee7b31ac1cff0480153bb0

SHA512
765183fc1e13199037663aed5a088d581549e3b102e5e5ffa29438e8bac72e02b14ecf42dcfd122a8cb20dfd9eedbc3629c6b297a69cb8ed0d6514505ed18e47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

Filesize
7KB

MD5
8aa0c3ec6b464180d6f822504ba44130

SHA1
cbf85b1458f9b71e8d722f75024f4bce8fad251d

SHA256
579612957f6f14120689ce7f6e32e1094adac82e25bae78ab2c75b47955ab7a0

SHA512
d1ad440c093a42ed2f3e21f43639a9c95f8a8959fb1389035c060ca382707f92d65b00a50b660418cc0caab72898567d7755f079bdd03ac60a61c78c01c55943

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs.js

Filesize
6KB

MD5
eda05e13a17c7b002a9c934eff4fdd60

SHA1
6f067771c3919c7fbe2aaa0b2a0475e639cb27e3

SHA256
acd6fd363553b10423af92a86e04871bd9e7b56a25c48515ea5a1c1d4225a1df

SHA512
8fcb8e22a0c82fa85241f0e38a8ef0136c862d4edb0035d15232a22ef7f8cacf5c5134a8e0e8d9aebf7acdc0911d699d82568a85deff83aba41c996c87e9c959

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs.js

Filesize
6KB

MD5
2c3ae13a7ad5acd7def974442311ba25

SHA1
376fa8ee7841bad200f7fb9a3d23572003a6f025

SHA256
da65326dd17c6d57f0a58a71786f1856b502f219ceaf6fd0d32324f8c141f3b6

SHA512
9c7a7e64d44cefda4f1f771bedde2aabc3e316bf218c52f2c208d9135a0fdcb14aebf0a755cc9cea43b4acad92ba4e68b5bde3b6767d7e1355c429aefec60cd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
0db684ebcee06410eca18d1ffeb87542

SHA1
155396ac9d98824e7f0a99278519fbf0df291ae0

SHA256
af7e1d74a4b1cebbb85968fda107e3367ad219e78264842da28077c79212f0e4

SHA512
754d281521963ff61f412f9a9fe88e2ab47ffc7821410885308b696f151372aca2c179ca096bbede1b2709c347cabcb01635fdbbc41c3227b9db767c61451471

Download Submit
C:\Users\Admin\AppData\Roaming\nahprot.bat

Filesize
10.1MB

MD5
4eb348c6ecbb8c6e4c5543fc254ce626

SHA1
f24923fcd2bb9148270e08622fa6c1079aa81fe1

SHA256
f1a5969e8b42932f80dc6e74d3301f120cba27a0b27ba2c92ebef7539a89e633

SHA512
69b48d17bd205092d3cf3c856ce3920b922f2b701294299b9097613b74acce3d8b866f96557ba532b973f6b321b1705251feb9f85af2edf54aa75c032fae878f

Download Submit
memory/596-1165-0x0000000000F50000-0x00000000013C0000-memory.dmp

Filesize
4.4MB

Download
memory/596-1167-0x0000000000F50000-0x00000000013C0000-memory.dmp

Filesize
4.4MB

Download
memory/596-1168-0x0000000000F50000-0x00000000013C0000-memory.dmp

Filesize
4.4MB

Download
memory/596-1204-0x0000000000F50000-0x00000000013C0000-memory.dmp

Filesize
4.4MB

Download
memory/668-296-0x0000000000D20000-0x0000000000DF6000-memory.dmp

Filesize
856KB

Download
memory/688-130-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/688-132-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/688-129-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/688-125-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/688-127-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/820-857-0x0000000000980000-0x00000000013ED000-memory.dmp

Filesize
10.4MB

Download
memory/820-854-0x0000000000980000-0x00000000013ED000-memory.dmp

Filesize
10.4MB

Download
memory/928-839-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/928-838-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1140-80-0x0000000000D50000-0x0000000000E26000-memory.dmp

Filesize
856KB

Download
memory/1188-1197-0x00000000000A0000-0x000000000039C000-memory.dmp

Filesize
3.0MB

Download
memory/1188-1193-0x00000000000A0000-0x000000000039C000-memory.dmp

Filesize
3.0MB

Download
memory/1304-116-0x00000000012D0000-0x0000000001380000-memory.dmp

Filesize
704KB

Download
memory/1548-306-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1548-311-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1548-300-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1548-313-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1548-308-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1548-304-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1548-310-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1548-302-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1592-61-0x0000000000050000-0x0000000000359000-memory.dmp

Filesize
3.0MB

Download
memory/1592-63-0x0000000000050000-0x0000000000359000-memory.dmp

Filesize
3.0MB

Download
memory/1656-94-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1656-83-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1656-93-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1656-89-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1656-91-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1656-96-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1656-85-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1656-87-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2024-615-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-593-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-243-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-680-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-657-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-407-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-648-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-804-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-701-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-480-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-479-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-498-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-571-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-676-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-784-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-724-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-590-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-723-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-244-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2024-704-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2080-817-0x0000000000080000-0x0000000000AAE000-memory.dmp

Filesize
10.2MB

Download
memory/2128-652-0x0000000000030000-0x0000000000343000-memory.dmp

Filesize
3.1MB

Download
memory/2128-700-0x0000000000030000-0x0000000000343000-memory.dmp

Filesize
3.1MB

Download
memory/2400-952-0x0000000000FE0000-0x0000000001090000-memory.dmp

Filesize
704KB

Download
memory/2484-1-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2664-831-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2664-832-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2904-994-0x0000000004920000-0x0000000004C23000-memory.dmp

Filesize
3.0MB

Download
memory/2904-58-0x0000000003E00000-0x0000000004109000-memory.dmp

Filesize
3.0MB

Download
memory/2904-1194-0x0000000004AB0000-0x0000000004F20000-memory.dmp

Filesize
4.4MB

Download
memory/2904-1164-0x0000000004AB0000-0x0000000004F20000-memory.dmp

Filesize
4.4MB

Download
memory/2904-1195-0x0000000004920000-0x0000000004C1C000-memory.dmp

Filesize
3.0MB

Download
memory/2904-1192-0x0000000004920000-0x0000000004C1C000-memory.dmp

Filesize
3.0MB

Download
memory/2904-649-0x0000000004920000-0x0000000004C33000-memory.dmp

Filesize
3.1MB

Download
memory/2904-1198-0x0000000004AB0000-0x0000000004F20000-memory.dmp

Filesize
4.4MB

Download
memory/2904-650-0x0000000004920000-0x0000000004C33000-memory.dmp

Filesize
3.1MB

Download
memory/2904-59-0x0000000003E00000-0x0000000004109000-memory.dmp

Filesize
3.0MB

Download
memory/2904-41-0x0000000003E00000-0x0000000004109000-memory.dmp

Filesize
3.0MB

Download
memory/2904-1222-0x0000000004A70000-0x0000000005490000-memory.dmp

Filesize
10.1MB

Download
memory/2904-1223-0x0000000004920000-0x0000000004C1C000-memory.dmp

Filesize
3.0MB

Download
memory/2904-1166-0x0000000004AB0000-0x0000000004F20000-memory.dmp

Filesize
4.4MB

Download
memory/2904-39-0x0000000003E00000-0x0000000004109000-memory.dmp

Filesize
3.0MB

Download
memory/2904-1080-0x0000000004920000-0x0000000004C23000-memory.dmp

Filesize
3.0MB

Download
memory/2904-853-0x0000000004920000-0x000000000538D000-memory.dmp

Filesize
10.4MB

Download
memory/2904-856-0x0000000004920000-0x000000000538D000-memory.dmp

Filesize
10.4MB

Download
memory/2904-927-0x0000000004920000-0x000000000538D000-memory.dmp

Filesize
10.4MB

Download
memory/2904-803-0x0000000004920000-0x0000000004C33000-memory.dmp

Filesize
3.1MB

Download
memory/2904-996-0x0000000004920000-0x0000000004C23000-memory.dmp

Filesize
3.0MB

Download
memory/2988-40-0x0000000000BF0000-0x0000000000EF9000-memory.dmp

Filesize
3.0MB

Download
memory/2988-43-0x0000000000BF0000-0x0000000000EF9000-memory.dmp

Filesize
3.0MB

Download
memory/3020-995-0x00000000003C0000-0x00000000006C3000-memory.dmp

Filesize
3.0MB

Download
memory/3020-998-0x00000000003C0000-0x00000000006C3000-memory.dmp

Filesize
3.0MB

Download